]> git.ipfire.org Git - thirdparty/gcc.git/blame - gcc/analyzer/ChangeLog
projects / thirdparty / gcc.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Daily bump.
[thirdparty/gcc.git] / gcc / analyzer / ChangeLog
CommitLineData
b563a8dd
GA		 12022-07-22 David Malcolm <dmalcolm@redhat.com>
2
3 PR analyzer/106413
4 * varargs.cc (region_model::impl_call_va_start): Avoid iterating
5 through non-existant variadic arguments by initializing the
6 impl_region to "UNKNOWN" if the va_start occurs in the top-level
7 function to the analysis.
8
92022-07-22 David Malcolm <dmalcolm@redhat.com>
10
11 PR analyzer/106401
12 * store.cc (binding_cluster::binding_cluster): Remove overzealous
13 assertion; we're checking for tracked_p in
14 store::get_or_create_cluster.
15
162022-07-22 Tim Lange <mail@tim-lange.me>
17
18 PR analyzer/106394
19 * region-model.cc (capacity_compatible_with_type): Always return true
20 if alloc_size is zero.
21
bbb9c030
GA		 222022-07-21 David Malcolm <dmalcolm@redhat.com>
23
24 PR analyzer/106383
25 * varargs.cc (region_model::impl_call_va_arg): When determining if
26 we're doing interprocedural analysis, use the stack depth of the
27 frame in which va_start was called, rather than the current stack
28 depth.
29
302022-07-21 David Malcolm <dmalcolm@redhat.com>
31
32 * sm-taint.cc (tainted_array_index::emit): Bulletproof against
33 NULL m_arg.
34 (tainted_array_index::describe_final_event): Likewise.
35 (tainted_size::emit): Likewise.
36 (tainted_size::describe_final_event): Likewise.
37
382022-07-21 David Malcolm <dmalcolm@redhat.com>
39
40 PR analyzer/106374
41 * region.cc (decl_region::get_svalue_for_initializer): Bail out on
42 untracked regions.
43
e7dfd874
GA		 442022-07-20 David Malcolm <dmalcolm@redhat.com>
45
46 PR analyzer/106373
47 * sm-taint.cc (taint_state_machine::on_condition): Potentially
48 update the state of the RHS as well as the LHS.
49
502022-07-20 David Malcolm <dmalcolm@redhat.com>
51
52 PR analyzer/106359
53 * region.h (string_region::tracked_p): New.
54 * store.cc (binding_cluster::binding_cluster): Move here from
55 store.h. Add assertion that base_region is tracked_p.
56 * store.h (binding_cluster::binding_cluster): Move to store.cc.
57
7c0c10db
GA		 582022-07-19 David Malcolm <dmalcolm@redhat.com>
59
60 PR analyzer/106321
61 * constraint-manager.h (bounded_ranges::get_count): New.
62 (bounded_ranges::get_range): New.
63 * engine.cc (impl_region_model_context::on_bounded_ranges): New.
64 * exploded-graph.h (impl_region_model_context::on_bounded_ranges):
65 New decl.
66 * region-model.cc (region_model::apply_constraints_for_gswitch):
67 Potentially call ctxt->on_bounded_ranges.
68 * region-model.h (region_model_context::on_bounded_ranges): New
69 vfunc.
70 (noop_region_model_context::on_bounded_ranges): New.
71 (region_model_context_decorator::on_bounded_ranges): New.
72 * sm-taint.cc: Include "analyzer/constraint-manager.h".
73 (taint_state_machine::on_bounded_ranges): New.
74 * sm.h (state_machine::on_bounded_ranges): New.
75
762022-07-19 David Malcolm <dmalcolm@redhat.com>
77
78 * engine.cc (exploded_graph::process_node): Show any description
79 of the out-edge when logging it for consideration.
80
bdc7b765
GA		 812022-07-15 David Malcolm <dmalcolm@redhat.com>
82
83 PR analyzer/106284
84 * sm-taint.cc (taint_state_machine::on_condition): Handle range
85 checks optimized by build_range_check.
86
872022-07-15 Jonathan Wakely <jwakely@redhat.com>
88
89 * call-info.cc (call_info::print): Adjust to new label_text API.
90 * checker-path.cc (checker_event::dump): Likewise.
91 (region_creation_event::get_desc): Likewise.
92 (state_change_event::get_desc): Likewise.
93 (superedge_event::should_filter_p): Likewise.
94 (start_cfg_edge_event::get_desc): Likewise.
95 (call_event::get_desc): Likewise.
96 (return_event::get_desc): Likewise.
97 (warning_event::get_desc): Likewise.
98 (checker_path::dump): Likewise.
99 (checker_path::debug): Likewise.
100 * diagnostic-manager.cc (diagnostic_manager::prune_for_sm_diagnostic):
101 Likewise.
102 (diagnostic_manager::prune_interproc_events): Likewise.
103 * engine.cc (feasibility_state::maybe_update_for_edge):
104 Likewise.
105 * program-state.cc (sm_state_map::to_json): Likewise.
106 * region-model-impl-calls.cc (region_model::impl_call_analyzer_describe): Likewise.
107 (region_model::impl_call_analyzer_dump_capacity): Likewise.
108 * region.cc (region::to_json): Likewise.
109 * sm-malloc.cc (inform_nonnull_attribute): Likewise.
110 * store.cc (binding_map::to_json): Likewise.
111 (store::to_json): Likewise.
112 * supergraph.cc (superedge::dump): Likewise.
113 * svalue.cc (svalue::to_json): Likewise.
114
6345c414
GA		 1152022-07-07 David Malcolm <dmalcolm@redhat.com>
116
117 * checker-path.cc (start_cfg_edge_event::get_desc): Update for
118 superedge::get_description returning a label_text.
119 * engine.cc (feasibility_state::maybe_update_for_edge): Likewise.
120 * supergraph.cc (superedge::dump): Likewise.
121 (superedge::get_description): Convert return type from char * to
122 label_text.
123 * supergraph.h (superedge::get_description): Likewise.
124
1252022-07-07 David Malcolm <dmalcolm@redhat.com>
126
127 * call-info.cc (call_info::print): Update for removal of
128 label_text::maybe_free in favor of automatic memory management.
129 * checker-path.cc (checker_event::dump): Likewise.
130 (checker_event::prepare_for_emission): Likewise.
131 (state_change_event::get_desc): Likewise.
132 (superedge_event::should_filter_p): Likewise.
133 (start_cfg_edge_event::get_desc): Likewise.
134 (warning_event::get_desc): Likewise.
135 (checker_path::dump): Likewise.
136 (checker_path::debug): Likewise.
137 * diagnostic-manager.cc
138 (diagnostic_manager::prune_for_sm_diagnostic): Likewise.
139 (diagnostic_manager::prune_interproc_events): Likewise.
140 * program-state.cc (sm_state_map::to_json): Likewise.
141 * region.cc (region::to_json): Likewise.
142 * sm-malloc.cc (inform_nonnull_attribute): Likewise.
143 * store.cc (binding_map::to_json): Likewise.
144 (store::to_json): Likewise.
145 * svalue.cc (svalue::to_json): Likewise.
146
1472022-07-07 David Malcolm <dmalcolm@redhat.com>
148
149 PR analyzer/106225
150 * sm-taint.cc (taint_state_machine::on_stmt): Move handling of
151 assignments from division to...
152 (taint_state_machine::check_for_tainted_divisor): ...this new
153 function. Reject warning when the divisor is known to be non-zero.
154 * sm.cc: Include "analyzer/program-state.h".
155 (sm_context::get_old_region_model): New.
156 * sm.h (sm_context::get_old_region_model): New decl.
157
4bc92c3b
GA		 1582022-07-06 Immad Mir <mirimmad@outlook.com>
159
160 PR analyzer/106184
161 * sm-fd.cc (fd_state_machine): Change ordering of initialization
162 of state m_invalid so that the order of initializers is same as
163 the ordering of the fields in the class decl.
164
1652022-07-06 Immad Mir <mirimmad@outlook.com>
166
167 * sm-fd.cc (use_after_close): save the "close" event and
168 show it where possible.
169
1702022-07-06 David Malcolm <dmalcolm@redhat.com>
171
172 PR analyzer/106204
173 * region-model.cc (within_short_circuited_stmt_p): Move extraction
174 of assign_stmt to caller.
175 (due_to_ifn_deferred_init_p): New.
176 (region_model::check_for_poison): Move extraction of assign_stmt
177 from within_short_circuited_stmt_p to here. Share logic with
178 call to due_to_ifn_deferred_init_p.
179
20f0f305
GA		 1802022-07-02 Tim Lange <mail@tim-lange.me>
181
182 PR analyzer/105900
183 * analyzer.opt: Added Wanalyzer-allocation-size.
184 * checker-path.cc (region_creation_event::get_desc): Added call to new
185 virtual function pending_diagnostic::describe_region_creation_event.
186 * checker-path.h: Added region_creation_event::get_desc.
187 * diagnostic-manager.cc (diagnostic_manager::add_event_on_final_node):
188 New function.
189 * diagnostic-manager.h:
190 Added diagnostic_manager::add_event_on_final_node.
191 * pending-diagnostic.h (struct region_creation): New event_desc struct.
192 (pending_diagnostic::describe_region_creation_event): Added virtual
193 function to overwrite description of a region creation.
194 * region-model.cc (class dubious_allocation_size): New class.
195 (capacity_compatible_with_type): New helper function.
196 (class size_visitor): New class.
197 (struct_or_union_with_inheritance_p): New helper function.
198 (is_any_cast_p): New helper function.
199 (region_model::check_region_size): New function.
200 (region_model::set_value): Added call to
201 region_model::check_region_size.
202 * region-model.h (class region_model): New function check_region_size.
203 * svalue.cc (region_svalue::accept): Changed to post-order traversal.
204 (initial_svalue::accept): Likewise.
205 (unaryop_svalue::accept): Likewise.
206 (binop_svalue::accept): Likewise.
207 (sub_svalue::accept): Likewise.
208 (repeated_svalue::accept): Likewise.
209 (bits_within_svalue::accept): Likewise.
210 (widening_svalue::accept): Likewise.
211 (unmergeable_svalue::accept): Likewise.
212 (compound_svalue::accept): Likewise.
213 (conjured_svalue::accept): Likewise.
214 (asm_output_svalue::accept): Likewise.
215 (const_fn_result_svalue::accept): Likewise.
216
2172022-07-02 Immad Mir <mirimmad17@gmail.com>
218
219 PR analyzer/106003
220 * analyzer.opt (Wanalyzer-fd-leak): New option.
221 (Wanalyzer-fd-access-mode-mismatch): New option.
222 (Wanalyzer-fd-use-without-check): New option.
223 (Wanalyzer-fd-double-close): New option.
224 (Wanalyzer-fd-use-after-close): New option.
225 * sm.h (make_fd_state_machine): New decl.
226 * sm.cc (make_checkers): Call make_fd_state_machine.
227 * sm-fd.cc: New file.
228
84c2131d
GA		 2292022-06-24 David Malcolm <dmalcolm@redhat.com>
230
231 * call-string.cc: Add includes of "analyzer/analyzer.h"
232 and "analyzer/analyzer-logging.h".
233 (call_string::call_string): Delete copy ctor.
234 (call_string::operator=): Delete.
235 (call_string::operator==): Delete.
236 (call_string::hash): Delete.
237 (call_string::push_call): Make const, returning the resulting
238 call_string.
239 (call_string::pop): Delete.
240 (call_string::cmp_ptr_ptr): New.
241 (call_string::validate): Assert that m_parent is non-NULL, or
242 m_elements is empty.
243 (call_string::call_string): Move default ctor here from
244 call-string.h and reimplement. Add ctor taking a parent
245 and an element.
246 (call_string::~call_string): New.
247 (call_string::recursive_log): New.
248 * call-string.h (call_string::call_string): Move default ctor's
249 defn to call-string.cc. Delete copy ctor. Add ctor taking a
250 parent and an element.
251 (call_string::operator=): Delete.
252 (call_string::operator==): Delete.
253 (call_string::hash): Delete.
254 (call_string::push_call): Make const, returning the resulting
255 call_string.
256 (call_string::pop): Delete decl.
257 (call_string::get_parent): New.
258 (call_string::cmp_ptr_ptr): New decl.
259 (call_string::get_top_of_stack): New.
260 (struct call_string::hashmap_traits_t): New.
261 (class call_string): Add friend class region_model_manager. Add
262 DISABLE_COPY_AND_ASSIGN.
263 (call_string::~call_string): New decl.
264 (call_string::recursive_log): New decl.
265 (call_string::m_parent): New field.
266 (call_string::m_children): New field.
267 * constraint-manager.cc (selftest::test_many_constants): Pass
268 model manager to program_point::origin.
269 * engine.cc (exploded_graph::exploded_graph): Likewise.
270 (exploded_graph::add_function_entry): Likewise for
271 program_point::from_function_entry.
272 (add_tainted_args_callback): Likewise.
273 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
274 Update for change to program_point.get_call_string.
275 (exploded_graph::process_node): Likewise.
276 (class function_call_string_cluster): Convert m_cs from a
277 call_string to a const call_string &.
278 (struct function_call_string): Likewise.
279 (pod_hash_traits<function_call_string>::hash): Use pointer_hash
280 for m_cs.
281 (pod_hash_traits<function_call_string>::equal): Update for change
282 to m_cs.
283 (root_cluster::add_node): Update for change to
284 function_call_string.
285 (viz_callgraph_node::dump_dot): Update for change to call_string.
286 * exploded-graph.h (per_call_string_data::m_key): Convert to a
287 reference.
288 (struct eg_call_string_hash_map_traits): Delete.
289 (exploded_graph::call_string_data_map_t): Remove traits class.
290 * program-point.cc: Move include of "analyzer/call-string.h" to
291 after "analyzer/analyzer-logging.h".
292 (program_point::print): Update for conversion of m_call_string to
293 a pointer.
294 (program_point::to_json): Likewise.
295 (program_point::push_to_call_stack): Update for immutability of
296 call strings.
297 (program_point::pop_from_call_stack): Likewise.
298 (program_point::hash): Use pointer hashing for m_call_string.
299 (program_point::get_function_at_depth): Update for change to
300 m_call_string.
301 (program_point::validate): Update for changes to call_string.
302 (program_point::on_edge): Likewise.
303 (program_point::origin): Move here from call-string.h. Add
304 region_model_manager param and use it to get empty call string.
305 (program_point::from_function_entry): Likewise.
306 (selftest::test_function_point_ordering): Likewise.
307 (selftest::test_function_point_ordering): Likewise.
308 * program-point.h (program_point::program_point): Update for
309 change to m_call_string.
310 (program_point::get_call_string): Likewise.
311 (program_point::get_stack_depth): Likewise.
312 (program_point::origin): Add region_model_manager param, and move
313 defn to call-string.cc.
314 (program_point::from_function_entry): Likewise.
315 (program_point::empty): Drop call_string.
316 (program_point::deleted): Likewise.
317 (program_point::program_point): New private ctor.
318 (program_point::m_call_string): Convert from call_string to const
319 call_string *.
320 * program-state.cc (selftest::test_program_state_merging): Update
321 for call_string changes.
322 (selftest::test_program_state_merging_2): Likewise.
323 * region-model-manager.cc
324 (region_model_manager::region_model_manager): Construct
325 m_empty_call_string.
326 (region_model_manager::log_stats): Log the call strings.
327 * region-model.cc (assert_region_models_merge): Pass the
328 region_model_manager when creating program_point instances.
329 (selftest::test_state_merging): Likewise.
330 (selftest::test_constraint_merging): Likewise.
331 (selftest::test_widening_constraints): Likewise.
332 (selftest::test_iteration_1): Likewise.
333 * region-model.h (region_model_manager::get_empty_call_string):
334 New.
335 (region_model_manager::m_empty_call_string): New.
336 * sm-signal.cc (register_signal_handler::impl_transition): Update
337 for changes to call_string.
338
3392022-06-24 David Malcolm <dmalcolm@redhat.com>
340
341 * call-string.cc (call_string::calc_recursion_depth): Whitespace
342 cleanups.
343 (call_string::cmp): Likewise.
344 (call_string::get_caller_node): Likewise.
345 (call_string::validate): Likewise.
346 * engine.cc (dynamic_call_info_t::add_events_to_path): Likewise.
347 (exploded_graph::get_per_function_data): Likewise.
348 (exploded_graph::maybe_create_dynamic_call): Likewise.
349 (exploded_graph::maybe_create_dynamic_call): Likewise.
350 (exploded_graph::process_node): Likewise.
351
bc7e9f76
GA		 3522022-06-16 David Malcolm <dmalcolm@redhat.com>
353
354 * varargs.cc (va_arg_type_mismatch::emit): Associate the warning
355 with CWE-686 ("Function Call With Incorrect Argument Type").
356
3572022-06-16 David Malcolm <dmalcolm@redhat.com>
358
359 * varargs.cc: Include "diagnostic-metadata.h".
360 (va_list_exhausted::emit): Associate the warning with
361 CWE-685 ("Function Call With Incorrect Number of Arguments").
362
3632022-06-16 David Malcolm <dmalcolm@redhat.com>
364
365 * sm-file.cc (double_fclose::emit): Associate the warning with
366 CWE-1341 ("Multiple Releases of Same Resource or Handle").
367
499b9c5f
GA		 3682022-06-15 David Malcolm <dmalcolm@redhat.com>
369
370 PR analyzer/105962
371 * analyzer.opt (fanalyzer-undo-inlining): New option.
372 * checker-path.cc: Include "diagnostic-core.h" and
373 "inlining-iterator.h".
374 (event_kind_to_string): Handle EK_INLINED_CALL.
375 (class inlining_info): New class.
376 (checker_event::checker_event): Move here from checker-path.h.
377 Store original fndecl and depth, and calculate effective fndecl
378 and depth based on inlining information.
379 (checker_event::dump): Emit original depth as well as effective
380 depth when they differ; likewise for fndecl.
381 (region_creation_event::get_desc): Use m_effective_fndecl.
382 (inlined_call_event::get_desc): New.
383 (inlined_call_event::get_meaning): New.
384 (checker_path::inject_any_inlined_call_events): New.
385 * checker-path.h (enum event_kind): Add EK_INLINED_CALL.
386 (checker_event::checker_event): Make protected, and move
387 definition to checker-path.cc.
388 (checker_event::get_fndecl): Use effective fndecl.
389 (checker_event::get_stack_depth): Use effective stack depth.
390 (checker_event::get_logical_location): Use effective stack depth.
391 (checker_event::get_original_stack_depth): New.
392 (checker_event::m_fndecl): Rename to...
393 (checker_event::m_original_fndecl): ...this.
394 (checker_event::m_depth): Rename to...
395 (checker_event::m_original_depth): ...this.
396 (checker_event::m_effective_fndecl): New field.
397 (checker_event::m_effective_depth): New field.
398 (class inlined_call_event): New checker_event subclass.
399 (checker_path::inject_any_inlined_call_events): New decl.
400 * diagnostic-manager.cc: Include "inlining-iterator.h".
401 (diagnostic_manager::emit_saved_diagnostic): Call
402 checker_path::inject_any_inlined_call_events.
403 (diagnostic_manager::prune_for_sm_diagnostic): Handle
404 EK_INLINED_CALL.
405 * engine.cc (tainted_args_function_custom_event::get_desc): Use
406 effective fndecl.
407 * inlining-iterator.h: New file.
408
4092022-06-15 David Malcolm <dmalcolm@redhat.com>
410
411 * diagnostic-manager.cc (saved_diagnostic::dump_dot_id): New.
412 (saved_diagnostic::dump_as_dot_node): New.
413 * diagnostic-manager.h (saved_diagnostic::dump_dot_id): New decl.
414 (saved_diagnostic::dump_as_dot_node): New decl.
415 * engine.cc (exploded_node::dump_dot): Add nodes for saved
416 diagnostics.
417
b168441c
GA		 4182022-06-02 David Malcolm <dmalcolm@redhat.com>
419
420 * checker-path.cc (checker_event::get_meaning): New.
421 (function_entry_event::get_meaning): New.
422 (state_change_event::get_desc): Add dump of meaning of the event
423 to the -fanalyzer-verbose-state-changes output.
424 (state_change_event::get_meaning): New.
425 (cfg_edge_event::get_meaning): New.
426 (call_event::get_meaning): New.
427 (return_event::get_meaning): New.
428 (start_consolidated_cfg_edges_event::get_meaning): New.
429 (warning_event::get_meaning): New.
430 * checker-path.h: Include "tree-logical-location.h".
431 (checker_event::checker_event): Construct m_logical_loc.
432 (checker_event::get_logical_location): New.
433 (checker_event::get_meaning): New decl.
434 (checker_event::m_logical_loc): New.
435 (function_entry_event::get_meaning): New decl.
436 (state_change_event::get_meaning): New decl.
437 (cfg_edge_event::get_meaning): New decl.
438 (call_event::get_meaning): New decl.
439 (return_event::get_meaning): New decl.
440 (start_consolidated_cfg_edges_event::get_meaning): New.
441 (warning_event::get_meaning): New decl.
442 * pending-diagnostic.h: Include "diagnostic-path.h".
443 (pending_diagnostic::get_meaning_for_state_change): New vfunc.
444 * sm-file.cc (file_diagnostic::get_meaning_for_state_change): New
445 vfunc impl.
446 * sm-malloc.cc (malloc_diagnostic::get_meaning_for_state_change):
447 Likewise.
448 * sm-sensitive.cc
449 (exposure_through_output_file::get_meaning_for_state_change):
450 Likewise.
451 * sm-taint.cc (taint_diagnostic::get_meaning_for_state_change):
452 Likewise.
453 * varargs.cc
454 (va_list_sm_diagnostic::get_meaning_for_state_change): Likewise.
455
168fc8bd
GA		 4562022-05-23 David Malcolm <dmalcolm@redhat.com>
457
458 * call-info.cc: Add "final" and "override" to all vfunc
459 implementations that were missing them, as appropriate.
460 * engine.cc: Likewise.
461 * region-model.cc: Likewise.
462 * sm-malloc.cc: Likewise.
463 * supergraph.h: Likewise.
464 * svalue.cc: Likewise.
465 * varargs.cc: Likewise.
466
57f2ce6a
GA		 4672022-05-20 David Malcolm <dmalcolm@redhat.com>
468
469 * analyzer-pass.cc: Replace uses of "FINAL" and "OVERRIDE" with
470 "final" and "override".
471 * call-info.h: Likewise.
472 * checker-path.h: Likewise.
473 * constraint-manager.cc: Likewise.
474 * diagnostic-manager.cc: Likewise.
475 * engine.cc: Likewise.
476 * exploded-graph.h: Likewise.
477 * feasible-graph.h: Likewise.
478 * pending-diagnostic.h: Likewise.
479 * region-model-impl-calls.cc: Likewise.
480 * region-model.cc: Likewise.
481 * region-model.h: Likewise.
482 * region.h: Likewise.
483 * sm-file.cc: Likewise.
484 * sm-malloc.cc: Likewise.
485 * sm-pattern-test.cc: Likewise.
486 * sm-sensitive.cc: Likewise.
487 * sm-signal.cc: Likewise.
488 * sm-taint.cc: Likewise.
489 * state-purge.h: Likewise.
490 * store.cc: Likewise.
491 * store.h: Likewise.
492 * supergraph.h: Likewise.
493 * svalue.h: Likewise.
494 * trimmed-graph.h: Likewise.
495 * varargs.cc: Likewise.
496
702bd11f
GA		 4972022-05-16 David Malcolm <dmalcolm@redhat.com>
498
499 PR analyzer/105103
500 * analyzer.cc (make_label_text_n): New.
501 * analyzer.h (class var_arg_region): New forward decl.
502 (make_label_text_n): New decl.
503 * analyzer.opt (Wanalyzer-va-arg-type-mismatch): New option.
504 (Wanalyzer-va-list-exhausted): New option.
505 (Wanalyzer-va-list-leak): New option.
506 (Wanalyzer-va-list-use-after-va-end): New option.
507 * checker-path.cc (call_event::get_desc): Split out decl access
508 into..
509 (call_event::get_caller_fndecl): ...this new function and...
510 (call_event::get_callee_fndecl): ...this new function.
511 * checker-path.h (call_event::get_desc): Drop "FINAL".
512 (call_event::get_caller_fndecl): New decl.
513 (call_event::get_callee_fndecl): New decl.
514 (class call_event): Make fields protected.
515 * diagnostic-manager.cc (null_assignment_sm_context::warn): New
516 overload.
517 (null_assignment_sm_context::get_new_program_state): New.
518 (diagnostic_manager::add_events_for_superedge): Move case
519 SUPEREDGE_CALL to a new pending_diagnostic::add_call_event vfunc.
520 * engine.cc (impl_sm_context::warn): Implement new override.
521 (impl_sm_context::get_new_program_state): New.
522 * pending-diagnostic.cc: Include "analyzer/diagnostic-manager.h",
523 "cpplib.h", "digraph.h", "ordered-hash-map.h", "cfg.h",
524 "basic-block.h", "gimple.h", "gimple-iterator.h", "cgraph.h"
525 "analyzer/supergraph.h", "analyzer/program-state.h",
526 "alloc-pool.h", "fibonacci_heap.h", "shortest-paths.h",
527 "sbitmap.h", "analyzer/exploded-graph.h", "diagnostic-path.h",
528 and "analyzer/checker-path.h".
529 (ht_ident_eq): New.
530 (fixup_location_in_macro_p): New.
531 (pending_diagnostic::fixup_location): New.
532 (pending_diagnostic::add_call_event): New.
533 * pending-diagnostic.h (pending_diagnostic::fixup_location): Drop
534 no-op inline implementation in favor of the more complex
535 implementation above.
536 (pending_diagnostic::add_call_event): New vfunc.
537 * region-model-impl-calls.cc: Include "analyzer/sm.h",
538 "diagnostic-path.h", and "analyzer/pending-diagnostic.h".
539 * region-model-manager.cc
540 (region_model_manager::get_var_arg_region): New.
541 (region_model_manager::log_stats): Log m_var_arg_regions.
542 * region-model.cc (region_model::on_call_pre): Handle IFN_VA_ARG,
543 BUILT_IN_VA_START, and BUILT_IN_VA_COPY.
544 (region_model::on_call_post): Handle BUILT_IN_VA_END.
545 (region_model::get_representative_path_var_1): Handle RK_VAR_ARG.
546 (region_model::push_frame): Push variadic arguments.
547 * region-model.h (region_model_manager::get_var_arg_region): New
548 decl.
549 (region_model_manager::m_var_arg_regions): New field.
550 (region_model::impl_call_va_start): New decl.
551 (region_model::impl_call_va_copy): New decl.
552 (region_model::impl_call_va_arg): New decl.
553 (region_model::impl_call_va_end): New decl.
554 * region.cc (alloca_region::dump_to_pp): Dump the id.
555 (var_arg_region::dump_to_pp): New.
556 (var_arg_region::get_frame_region): New.
557 * region.h (enum region_kind): Add RK_VAR_ARG.
558 (region::dyn_cast_var_arg_region): New.
559 (class var_arg_region): New.
560 (is_a_helper <const var_arg_region *>::test): New.
561 (struct default_hash_traits<var_arg_region::key_t>): New.
562 * sm.cc (make_checkers): Call make_va_list_state_machine.
563 * sm.h (sm_context::warn): New vfunc.
564 (sm_context::get_old_svalue): Drop unused decl.
565 (sm_context::get_new_program_state): New vfunc.
566 (make_va_list_state_machine): New decl.
567 * varargs.cc: New file.
568
5692022-05-16 Martin Liska <mliska@suse.cz>
570
571 * engine.cc (exploded_node::get_dot_fillcolor): Use ARRAY_SIZE.
572 * function-set.cc (test_stdio_example): Likewise.
573 * sm-file.cc (get_file_using_fns): Likewise.
574 * sm-malloc.cc (malloc_state_machine::unaffected_by_call_p): Likewise.
575 * sm-signal.cc (get_async_signal_unsafe_fns): Likewise.
576
9df4ffe4
GA		 5772022-05-13 Richard Biener <rguenther@suse.de>
578
579 * supergraph.cc: Re-order gimple-fold.h include.
580
d0d513b5
GA		 5812022-05-11 David Malcolm <dmalcolm@redhat.com>
582
583 * checker-path.cc (state_change_event::get_desc): Call maybe_free
584 on label_text temporaries.
585 * diagnostic-manager.cc
586 (diagnostic_manager::prune_for_sm_diagnostic): Likewise.
587 * engine.cc (exploded_graph::~exploded_graph): Fix leak of
588 m_per_point_data and m_per_call_string_data values. Simplify
589 cleanup of m_per_function_stats and m_per_point_data values.
590 (feasibility_state::maybe_update_for_edge): Fix leak of result of
591 superedge::get_description.
592 * region-model-manager.cc
593 (region_model_manager::~region_model_manager): Move cleanup of
594 m_setjmp_values to match the ordering of the fields within
595 region_model_manager. Fix leak of values within
596 m_repeated_values_map, m_bits_within_values_map,
597 m_asm_output_values_map, and m_const_fn_result_values_map.
598
6b6f53d8
GA		 5992022-04-28 David Malcolm <dmalcolm@redhat.com>
600
601 PR analyzer/105285
602 * store.cc (binding_cluster::get_any_binding): Handle accessing
603 sub_svalues of clusters where the base region has a symbolic
604 binding.
605
6062022-04-28 David Malcolm <dmalcolm@redhat.com>
607
608 * diagnostic-manager.cc (epath_finder::process_worklist_item):
609 Call dump_feasible_path when a path that reaches the the target
610 enode is found.
611 (epath_finder::dump_feasible_path): New.
612 * engine.cc (feasibility_state::dump_to_pp): New.
613 * exploded-graph.h (feasibility_state::dump_to_pp): New decl.
614 * feasible-graph.cc (feasible_graph::dump_feasible_path): New.
615 * feasible-graph.h (feasible_graph::dump_feasible_path): New
616 decls.
617 * program-point.cc (function_point::print): Fix missing trailing
618 newlines.
619 * program-point.h (program_point::print_source_line): Remove
620 unimplemented decl.
621
98de0da6
GA		 6222022-04-25 David Malcolm <dmalcolm@redhat.com>
623
624 PR analyzer/105365
625 PR analyzer/105366
626 * svalue.cc
627 (cmp_cst): Rename to...
628 (cmp_csts_same_type): ...this. Convert all recursive calls to
629 calls to...
630 (cmp_csts_and_types): ....this new function.
631 (svalue::cmp_ptr): Update for renaming of cmp_cst
632
031bd52e
GA		 6332022-04-14 David Malcolm <dmalcolm@redhat.com>
634
635 PR analyzer/105264
636 * region-model-reachability.cc (reachable_regions::handle_parm):
637 Use maybe_get_deref_base_region rather than just region_svalue, to
638 handle pointer arithmetic also.
639 * svalue.cc (svalue::maybe_get_deref_base_region): New.
640 * svalue.h (svalue::maybe_get_deref_base_region): New decl.
641
6422022-04-14 David Malcolm <dmalcolm@redhat.com>
643
644 PR analyzer/105252
645 * svalue.cc (cmp_cst): When comparing VECTOR_CSTs, compare the
646 types of the encoded elements before calling cmp_cst on them.
647
71cac7de
GA		 6482022-04-09 David Malcolm <dmalcolm@redhat.com>
649
650 PR analyzer/103892
651 * region-model-manager.cc
652 (region_model_manager::get_unknown_symbolic_region): New,
653 extracted from...
654 (region_model_manager::get_field_region): ...here.
655 (region_model_manager::get_element_region): Use it here.
656 (region_model_manager::get_offset_region): Likewise.
657 (region_model_manager::get_sized_region): Likewise.
658 (region_model_manager::get_cast_region): Likewise.
659 (region_model_manager::get_bit_range): Likewise.
660 * region-model.h
661 (region_model_manager::get_unknown_symbolic_region): New decl.
662 * region.cc (symbolic_region::symbolic_region): Handle sval_ptr
663 having NULL type.
664 (symbolic_region::dump_to_pp): Handle having NULL type.
665
df00d103
GA		 6662022-04-07 David Malcolm <dmalcolm@redhat.com>
667
668 PR analyzer/102208
669 * store.cc (binding_map::remove_overlapping_bindings): Add
670 "always_overlap" param, using it to generalize to the case where
671 we want to remove all bindings. Update "uncertainty" logic to
672 only record maybe-bound values for cases where there is a symbolic
673 write involved.
674 (binding_cluster::mark_region_as_unknown): Split param "reg" into
675 "reg_to_bind" and "reg_for_overlap".
676 (binding_cluster::maybe_get_compound_binding): Pass "false" to
677 binding_map::remove_overlapping_bindings new "always_overlap" param.
678 (binding_cluster::remove_overlapping_bindings): Determine
679 "always_overlap" and pass it to
680 binding_map::remove_overlapping_bindings.
681 (store::set_value): Pass uncertainty to remove_overlapping_bindings
682 call. Update for new param of
683 binding_cluster::mark_region_as_unknown, passing both the base
684 region of the iter_cluster, and the lhs_reg.
685 (store::mark_region_as_unknown): Update for new param of
686 binding_cluster::mark_region_as_unknown, passing "reg" for both.
687 (store::remove_overlapping_bindings): Add param "uncertainty", and
688 pass it on to call to
689 binding_cluster::remove_overlapping_bindings.
690 * store.h (binding_map::remove_overlapping_bindings): Add
691 "always_overlap" param.
692 (binding_cluster::mark_region_as_unknown): Split param "reg" into
693 "reg_to_bind" and "reg_for_overlap".
694 (store::remove_overlapping_bindings): Add param "uncertainty".
695
9f774626
GA		 6962022-03-29 David Malcolm <dmalcolm@redhat.com>
697
698 PR testsuite/105085
699 * region-model-manager.cc (dump_untracked_region): Skip decls in
700 the constant pool.
701
7022022-03-29 David Malcolm <dmalcolm@redhat.com>
703
704 PR analyzer/105087
705 * analyzer.h (class conjured_purge): New forward decl.
706 * region-model-asm.cc (region_model::on_asm_stmt): Add
707 conjured_purge param to calls binding_cluster::on_asm and
708 region_model_manager::get_or_create_conjured_svalue.
709 * region-model-impl-calls.cc
710 (call_details::get_or_create_conjured_svalue): Likewise for call
711 to region_model_manager::get_or_create_conjured_svalue.
712 (region_model::impl_call_fgets): Remove call to
713 region_model::purge_state_involving, as this is now done
714 implicitly by call_details::get_or_create_conjured_svalue.
715 (region_model::impl_call_fread): Likewise.
716 (region_model::impl_call_strchr): Pass conjured_purge param to
717 call to region_model_manager::get_or_create_conjured_svalue.
718 * region-model-manager.cc (conjured_purge::purge): New.
719 (region_model_manager::get_or_create_conjured_svalue): Add
720 param "p". Use it to purge state when reusing an existing
721 conjured_svalue.
722 * region-model.cc (region_model::on_call_pre): Replace call to
723 region_model::purge_state_involving with passing conjured_purge
724 to region_model_manager::get_or_create_conjured_svalue.
725 (region_model::handle_unrecognized_call): Pass conjured_purge to
726 store::on_unknown_fncall.
727 * region-model.h
728 (region_model_manager::get_or_create_conjured_svalue): Add param
729 "p".
730 * store.cc (binding_cluster::on_unknown_fncall): Likewise. Pass
731 it on to region_model_manager::get_or_create_conjured_svalue.
732 (binding_cluster::on_asm): Likewise.
733 (store::on_unknown_fncall): Add param "p" and pass it on to
734 binding_cluster::on_unknown_fncall.
735 * store.h (binding_cluster::on_unknown_fncall): Add param p.
736 (binding_cluster::on_asm): Likewise.
737 (store::on_unknown_fncall): Likewise.
738 * svalue.h (class conjured_purge): New.
739
7402022-03-29 David Malcolm <dmalcolm@redhat.com>
741
742 PR analyzer/105074
743 * region.cc (ipa_ref_requires_tracking): Drop "context_fndecl",
744 instead using the ref->referring to get the cgraph node of the
745 caller.
746 (symnode_requires_tracking_p): Likewise.
747
d2906412
GA		 7482022-03-26 David Malcolm <dmalcolm@redhat.com>
749
750 PR analyzer/105057
751 * store.cc (binding_cluster::make_unknown_relative_to): Reject
752 attempts to create a cluster for untracked base regions.
753 (store::set_value): Likewise.
754 (store::fill_region): Likewise.
755 (store::mark_region_as_unknown): Likewise.
756
31e989a2
GA		 7572022-03-25 David Malcolm <dmalcolm@redhat.com>
758
759 PR analyzer/104954
760 * analyzer.opt (-fdump-analyzer-untracked): New option.
761 * engine.cc (impl_run_checkers): Handle it.
762 * region-model-asm.cc (region_model::on_asm_stmt): Don't attempt
763 to clobber regions with !tracked_p ().
764 * region-model-manager.cc (dump_untracked_region): New.
765 (region_model_manager::dump_untracked_regions): New.
766 (frame_region::dump_untracked_regions): New.
767 * region-model.h (region_model_manager::dump_untracked_regions):
768 New decl.
769 * region.cc (ipa_ref_requires_tracking): New.
770 (symnode_requires_tracking_p): New.
771 (decl_region::calc_tracked_p): New.
772 * region.h (region::tracked_p): New vfunc.
773 (frame_region::dump_untracked_regions): New decl.
774 (class decl_region): Note that this is also used fo SSA names.
775 (decl_region::decl_region): Initialize m_tracked.
776 (decl_region::tracked_p): New.
777 (decl_region::calc_tracked_p): New decl.
778 (decl_region::m_tracked): New.
779 * store.cc (store::get_or_create_cluster): Assert that we
780 don't try to create clusters for base regions that aren't
781 trackable.
782 (store::mark_as_escaped): Don't mark base regions that we're not
783 tracking.
784
d1ca63a1
GA		 7852022-03-23 David Malcolm <dmalcolm@redhat.com>
786
787 PR analyzer/104979
788 * engine.cc (impl_run_checkers): Create the engine after the
789 supergraph, and pass the supergraph to the engine.
790 * region-model.cc (region_model::get_lvalue_1): Pass ctxt to
791 frame_region::get_region_for_local.
792 (region_model::update_for_return_gcall): Pass the lvalue for the
793 result to pop_frame as a tree, rather than as a region.
794 (region_model::pop_frame): Update for above change, determining
795 the destination region after the frame is popped and thus with
796 respect to the caller frame rather than the called frame.
797 Likewise, set the value of the region to the return value after
798 the frame is popped.
799 (engine::engine): Add supergraph pointer.
800 (selftest::test_stack_frames): Set the DECL_CONTECT of PARM_DECLs.
801 (selftest::test_get_representative_path_var): Likewise.
802 (selftest::test_state_merging): Likewise.
803 * region-model.h (region_model::pop_frame): Convert first param
804 from a const region * to a tree.
805 (engine::engine): Add param "sg".
806 (engine::m_sg): New field.
807 * region.cc: Include "analyzer/sm.h" and
808 "analyzer/program-state.h".
809 (frame_region::get_region_for_local): Add "ctxt" param.
810 Add assertions that VAR_DECLs are locals, and that expr is for the
811 correct function.
812 * region.h (frame_region::get_region_for_local): Add "ctxt" param.
813
8142022-03-23 David Malcolm <dmalcolm@redhat.com>
815
816 PR analyzer/105017
817 * sm-taint.cc (taint_diagnostic::subclass_equal_p): Check
818 m_has_bounds as well as m_arg.
819 (tainted_allocation_size::subclass_equal_p): Chain up to base
820 class implementation. Also check m_mem_space.
821 (tainted_allocation_size::emit): Add note showing stack-based vs
822 heap-based allocations.
823
8242022-03-23 David Malcolm <dmalcolm@redhat.com>
825
826 PR analyzer/104997
827 * diagnostic-manager.cc (diagnostic_manager::add_diagnostic):
828 Convert return type from "void" to "bool", reporting success vs
829 failure to caller, for both overloads.
830 * diagnostic-manager.h (diagnostic_manager::add_diagnostic):
831 Likewise.
832 * engine.cc (impl_region_model_context::warn): Propagate return
833 value from diagnostic_manager::add_diagnostic.
834
8ca61ad1
GA		 8352022-03-18 David Malcolm <dmalcolm@redhat.com>
836
837 PR analyzer/104943
838 PR analyzer/104954
839 PR analyzer/103533
840 * analyzer.h (class state_purge_per_decl): New forward decl.
841 * engine.cc (impl_run_checkers): Pass region_model_manager to
842 state_purge_map ctor.
843 * program-point.cc (function_point::final_stmt_p): New.
844 (function_point::get_next): New.
845 * program-point.h (function_point::final_stmt_p): New decl.
846 (function_point::get_next): New decl.
847 * program-state.cc (program_state::prune_for_point): Generalize to
848 purge local decls as well as SSA names.
849 (program_state::can_purge_base_region_p): New.
850 * program-state.h (program_state::can_purge_base_region_p): New
851 decl.
852 * region-model.cc (struct append_ssa_names_cb_data): Rename to...
853 (struct append_regions_cb_data): ...this.
854 (region_model::get_ssa_name_regions_for_current_frame): Rename
855 to...
856 (region_model::get_regions_for_current_frame): ...this, updating
857 for other renamings.
858 (region_model::append_ssa_names_cb): Rename to...
859 (region_model::append_regions_cb): ...this, and drop the requirement
860 that the subregion be a SSA name.
861 * region-model.h (struct append_ssa_names_cb_data): Rename decl
862 to...
863 (struct append_regions_cb_data): ...this.
864 (region_model::get_ssa_name_regions_for_current_frame): Rename
865 decl to...
866 (region_model::get_regions_for_current_frame): ...this.
867 (region_model::append_ssa_names_cb): Rename decl to...
868 (region_model::append_regions_cb): ...this.
869 * state-purge.cc: Include "tristate.h", "selftest.h",
870 "analyzer/store.h", "analyzer/region-model.h", and
871 "gimple-walk.h".
872 (get_candidate_for_purging): New.
873 (class gimple_op_visitor): New.
874 (my_load_cb): New.
875 (my_store_cb): New.
876 (my_addr_cb): New.
877 (state_purge_map::state_purge_map): Add "mgr" param. Update for
878 renamings. Find uses of local variables.
879 (state_purge_map::~state_purge_map): Update for renaming of m_map
880 to m_ssa_map. Clean up m_decl_map.
881 (state_purge_map::get_or_create_data_for_decl): New.
882 (state_purge_per_ssa_name::state_purge_per_ssa_name): Update for
883 inheriting from state_purge_per_tree.
884 (state_purge_per_ssa_name::add_to_worklist): Likewise.
885 (state_purge_per_decl::state_purge_per_decl): New.
886 (state_purge_per_decl::add_needed_at): New.
887 (state_purge_per_decl::add_pointed_to_at): New.
888 (state_purge_per_decl::process_worklists): New.
889 (state_purge_per_decl::add_to_worklist): New.
890 (same_binding_p): New.
891 (fully_overwrites_p): New.
892 (state_purge_per_decl::process_point_backwards): New.
893 (state_purge_per_decl::process_point_forwards): New.
894 (state_purge_per_decl::needed_at_point_p): New.
895 (state_purge_annotator::print_needed): Generalize to print local
896 decls as well as SSA names.
897 * state-purge.h (class state_purge_map): Update leading comment.
898 (state_purge_map::map_t): Rename to...
899 (state_purge_map::ssa_map_t): ...this.
900 (state_purge_map::iterator): Rename to...
901 (state_purge_map::ssa_iterator): ...this.
902 (state_purge_map::decl_map_t): New typedef.
903 (state_purge_map::decl_iterator): New typedef.
904 (state_purge_map::state_purge_map): Add "mgr" param.
905 (state_purge_map::get_data_for_ssa_name): Update for renaming.
906 (state_purge_map::get_any_data_for_decl): New.
907 (state_purge_map::get_or_create_data_for_decl): New decl.
908 (state_purge_map::begin): Rename to...
909 (state_purge_map::begin_ssas): ...this.
910 (state_purge_map::end): Rename to...
911 (state_purge_map::end_ssa): ...this.
912 (state_purge_map::begin_decls): New.
913 (state_purge_map::end_decls): New.
914 (state_purge_map::m_map): Rename to...
915 (state_purge_map::m_ssa_map): ...this.
916 (state_purge_map::m_decl_map): New field.
917 (class state_purge_per_tree): New class.
918 (class state_purge_per_ssa_name): Inherit from state_purge_per_tree.
919 (state_purge_per_ssa_name::get_function): Move to base class.
920 (state_purge_per_ssa_name::point_set_t): Likewise.
921 (state_purge_per_ssa_name::m_fun): Likewise.
922 (class state_purge_per_decl): New.
923
e9ea3016
GA		 9242022-03-17 David Malcolm <dmalcolm@redhat.com>
925
926 * state-purge.cc (state_purge_annotator::add_node_annotations):
927 Avoid duplicate before-supernode annotations when returning from
928 an interprocedural call. Show after-supernode annotations.
929
9302022-03-17 David Malcolm <dmalcolm@redhat.com>
931
932 * program-point.cc (program_point::get_next): Fix missing
933 increment of index.
934
9fc8f278
GA		 9352022-03-16 David Malcolm <dmalcolm@redhat.com>
936
937 PR analyzer/104955
938 * diagnostic-manager.cc (get_emission_location): New.
939 (diagnostic_manager::diagnostic_manager): Initialize
940 m_num_disabled_diagnostics.
941 (diagnostic_manager::add_diagnostic): Reject diagnostics that
942 will eventually be rejected due to being disabled.
943 (diagnostic_manager::emit_saved_diagnostics): Log the number
944 of disabled diagnostics.
945 (diagnostic_manager::emit_saved_diagnostic): Split out logic for
946 determining emission location to get_emission_location.
947 * diagnostic-manager.h
948 (diagnostic_manager::m_num_disabled_diagnostics): New field.
949 * engine.cc (stale_jmp_buf::get_controlling_option): New.
950 (stale_jmp_buf::emit): Use it.
951 * pending-diagnostic.h
952 (pending_diagnostic::get_controlling_option): New vfunc.
953 * region-model.cc
954 (poisoned_value_diagnostic::get_controlling_option): New.
955 (poisoned_value_diagnostic::emit): Use it.
956 (shift_count_negative_diagnostic::get_controlling_option): New.
957 (shift_count_negative_diagnostic::emit): Use it.
958 (shift_count_overflow_diagnostic::get_controlling_option): New.
959 (shift_count_overflow_diagnostic::emit): Use it.
960 (dump_path_diagnostic::get_controlling_option): New.
961 (dump_path_diagnostic::emit): Use it.
962 (write_to_const_diagnostic::get_controlling_option): New.
963 (write_to_const_diagnostic::emit): Use it.
964 (write_to_string_literal_diagnostic::get_controlling_option): New.
965 (write_to_string_literal_diagnostic::emit): Use it.
966 * sm-file.cc (double_fclose::get_controlling_option): New.
967 (double_fclose::emit): Use it.
968 (file_leak::get_controlling_option): New.
969 (file_leak::emit): Use it.
970 * sm-malloc.cc (mismatching_deallocation::get_controlling_option):
971 New.
972 (mismatching_deallocation::emit): Use it.
973 (double_free::get_controlling_option): New.
974 (double_free::emit): Use it.
975 (possible_null_deref::get_controlling_option): New.
976 (possible_null_deref::emit): Use it.
977 (possible_null_arg::get_controlling_option): New.
978 (possible_null_arg::emit): Use it.
979 (null_deref::get_controlling_option): New.
980 (null_deref::emit): Use it.
981 (null_arg::get_controlling_option): New.
982 (null_arg::emit): Use it.
983 (use_after_free::get_controlling_option): New.
984 (use_after_free::emit): Use it.
985 (malloc_leak::get_controlling_option): New.
986 (malloc_leak::emit): Use it.
987 (free_of_non_heap::get_controlling_option): New.
988 (free_of_non_heap::emit): Use it.
989 * sm-pattern-test.cc (pattern_match::get_controlling_option): New.
990 (pattern_match::emit): Use it.
991 * sm-sensitive.cc
992 (exposure_through_output_file::get_controlling_option): New.
993 (exposure_through_output_file::emit): Use it.
994 * sm-signal.cc (signal_unsafe_call::get_controlling_option): New.
995 (signal_unsafe_call::emit): Use it.
996 * sm-taint.cc (tainted_array_index::get_controlling_option): New.
997 (tainted_array_index::emit): Use it.
998 (tainted_offset::get_controlling_option): New.
999 (tainted_offset::emit): Use it.
1000 (tainted_size::get_controlling_option): New.
1001 (tainted_size::emit): Use it.
1002 (tainted_divisor::get_controlling_option): New.
1003 (tainted_divisor::emit): Use it.
1004 (tainted_allocation_size::get_controlling_option): New.
1005 (tainted_allocation_size::emit): Use it.
1006
14d2ac82
GA		 10072022-03-15 David Malcolm <dmalcolm@redhat.com>
1008
1009 * store.cc (store::store): Presize m_cluster_map.
1010
5e28be89
GA		 10112022-03-10 David Malcolm <dmalcolm@redhat.com>
1012
1013 PR analyzer/104863
1014 * constraint-manager.cc (constraint_manager::add_constraint):
1015 Refresh the EC IDs when adding constraints implied by offsets.
1016
10172022-03-10 David Malcolm <dmalcolm@redhat.com>
1018
1019 PR analyzer/104793
1020 * analyzer.h (class pending_note): New forward decl.
1021 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic):
1022 Initialize m_notes.
1023 (saved_diagnostic::operator==): Compare m_notes.
1024 (saved_diagnostic::add_note): New.
1025 (saved_diagnostic::emit_any_notes): New.
1026 (diagnostic_manager::add_note): New.
1027 (diagnostic_manager::emit_saved_diagnostic): Call emit_any_notes
1028 after emitting the warning.
1029 * diagnostic-manager.h (saved_diagnostic::add_note): New decl.
1030 (saved_diagnostic::emit_any_notes): New decl.
1031 (saved_diagnostic::m_notes): New field.
1032 (diagnostic_manager::add_note): New decl.
1033 * engine.cc (impl_region_model_context::add_note): New.
1034 * exploded-graph.h (impl_region_model_context::add_note): New
1035 decl.
1036 * pending-diagnostic.h (class pending_note): New.
1037 (class pending_note_subclass): New template.
1038 * region-model.cc (class reason_attr_access): New.
1039 (check_external_function_for_access_attr): Add class
1040 annotating_ctxt and use it when checking region.
1041 (noop_region_model_context::add_note): New.
1042 * region-model.h (region_model_context::add_note): New vfunc.
1043 (noop_region_model_context::add_note): New decl.
1044 (class region_model_context_decorator): New.
1045 (class note_adding_context): New.
1046
10472022-03-10 David Malcolm <dmalcolm@redhat.com>
1048
1049 PR analyzer/104793
1050 * region-model.cc
1051 (region_model::check_external_function_for_access_attr): New.
1052 (region_model::handle_unrecognized_call): Call it.
1053 * region-model.h
1054 (region_model::check_external_function_for_access_attr): New decl.
1055 (region_model::handle_unrecognized_call): New decl.
1056
10572022-03-10 David Malcolm <dmalcolm@redhat.com>
1058
1059 * sm-taint.cc (taint_state_machine::check_for_tainted_size_arg):
1060 Avoid generating duplicate saved_diagnostics by only handling the
1061 rdwr_map entry for the ptrarg, not the duplicate entry for the
1062 sizarg.
1063
e6533e2e
GA		 10642022-03-07 David Malcolm <dmalcolm@redhat.com>
1065
1066 PR analyzer/101983
1067 * engine.cc (returning_from_function_p): New.
1068 (impl_region_model_context::on_state_leak): Use it when rejecting
1069 leaks at the return from "main".
1070
10712022-03-07 Jakub Jelinek <jakub@redhat.com>
1072
1073 * store.cc: Fix up duplicated word issue in a comment.
1074 * analyzer.cc: Likewise.
1075 * engine.cc: Likewise.
1076 * sm-taint.cc: Likewise.
1077
8d96e14c
GA		 10782022-03-04 David Malcolm <dmalcolm@redhat.com>
1079
1080 PR analyzer/103521
1081 * analyzer.opt (-param=analyzer-max-svalue-depth=): Reduce from 13
1082 to 12.
1083
4bf3bac1
GA		 10842022-02-23 David Malcolm <dmalcolm@redhat.com>
1085
1086 PR analyzer/104434
1087 * analyzer.h (class const_fn_result_svalue): New decl.
1088 * region-model-impl-calls.cc (call_details::get_manager): New.
1089 * region-model-manager.cc
1090 (region_model_manager::get_or_create_const_fn_result_svalue): New.
1091 (region_model_manager::log_stats): Log
1092 m_const_fn_result_values_map.
1093 * region-model.cc (const_fn_p): New.
1094 (maybe_get_const_fn_result): New.
1095 (region_model::on_call_pre): Handle fndecls with
1096 __attribute__((const)) by calling the above rather than making
1097 a conjured_svalue.
1098 * region-model.h (visitor::visit_const_fn_result_svalue): New.
1099 (region_model_manager::get_or_create_const_fn_result_svalue): New
1100 decl.
1101 (region_model_manager::const_fn_result_values_map_t): New typedef.
1102 (region_model_manager::m_const_fn_result_values_map): New field.
1103 (call_details::get_manager): New decl.
1104 * svalue.cc (svalue::cmp_ptr): Handle SK_CONST_FN_RESULT.
1105 (const_fn_result_svalue::dump_to_pp): New.
1106 (const_fn_result_svalue::dump_input): New.
1107 (const_fn_result_svalue::accept): New.
1108 * svalue.h (enum svalue_kind): Add SK_CONST_FN_RESULT.
1109 (svalue::dyn_cast_const_fn_result_svalue): New.
1110 (class const_fn_result_svalue): New.
1111 (is_a_helper <const const_fn_result_svalue *>::test): New.
1112 (template <> struct default_hash_traits<const_fn_result_svalue::key_t>):
1113 New.
1114
0bdb0498
GA		 11152022-02-17 David Malcolm <dmalcolm@redhat.com>
1116
1117 PR analyzer/104576
1118 * region-model.cc: Include "calls.h".
1119 (region_model::on_call_pre): Use flags_from_decl_or_type to
1120 generalize check for DECL_PURE_P to also check for ECF_CONST.
1121
cb3afcd2
GA		 11222022-02-16 David Malcolm <dmalcolm@redhat.com>
1123
1124 PR analyzer/104560
1125 * diagnostic-manager.cc (diagnostic_manager::build_emission_path):
1126 Add region creation events for globals of interest.
1127 (null_assignment_sm_context::get_old_program_state): New.
1128 (diagnostic_manager::add_events_for_eedge): Move check for
1129 changing dynamic extents from PK_BEFORE_STMT case to after the
1130 switch on the dst_point's kind so that we can emit them for the
1131 final stmt in a basic block.
1132 * engine.cc (impl_sm_context::get_old_program_state): New.
1133 * sm-malloc.cc (malloc_state_machine::get_default_state): Rewrite
1134 detection of m_non_heap to use get_memory_space.
1135 (free_of_non_heap::free_of_non_heap): Add freed_reg param.
1136 (free_of_non_heap::subclass_equal_p): Update for changes to
1137 fields.
1138 (free_of_non_heap::emit): Drop m_kind in favor of
1139 get_memory_space.
1140 (free_of_non_heap::describe_state_change): Remove logic for
1141 detecting alloca.
1142 (free_of_non_heap::mark_interesting_stuff): Add region-creation of
1143 m_freed_reg.
1144 (free_of_non_heap::get_memory_space): New.
1145 (free_of_non_heap::kind): Drop enum.
1146 (free_of_non_heap::m_freed_reg): New field.
1147 (free_of_non_heap::m_kind): Drop field.
1148 (malloc_state_machine::on_stmt): Drop transition to m_non_heap.
1149 (malloc_state_machine::handle_free_of_non_heap): New function,
1150 split out from on_deallocator_call and on_realloc_call, adding
1151 detection of the freed region.
1152 (malloc_state_machine::on_deallocator_call): Use it.
1153 (malloc_state_machine::on_realloc_call): Likewise.
1154 * sm.h (sm_context::get_old_program_state): New vfunc.
1155
875e493b
GA		 11562022-02-15 David Malcolm <dmalcolm@redhat.com>
1157
1158 PR analyzer/104524
1159 * region-model-manager.cc
1160 (region_model_manager::maybe_fold_sub_svalue): Only call
1161 get_or_create_cast if type is non-NULL.
1162
11632022-02-15 David Malcolm <dmalcolm@redhat.com>
1164
1165 PR analyzer/102692
1166 * exploded-graph.h (impl_region_model_context::get_stmt): New.
1167 * region-model.cc: Include "gimple-ssa.h", "tree-phinodes.h",
1168 "tree-ssa-operands.h", and "ssa-iterators.h".
1169 (within_short_circuited_stmt_p): New.
1170 (region_model::check_for_poison): Don't warn about uninit values
1171 if within_short_circuited_stmt_p.
1172 * region-model.h (region_model_context::get_stmt): New vfunc.
1173 (noop_region_model_context::get_stmt): New.
1174
e8d68f0a
GA		 11752022-02-11 David Malcolm <dmalcolm@redhat.com>
1176
1177 PR analyzer/104274
1178 * region-model.cc (region_model::check_for_poison): Ignore
1179 uninitialized uses of empty types.
1180
a645583d
GA		 11812022-02-10 David Malcolm <dmalcolm@redhat.com>
1182
1183 PR analyzer/98797
1184 * region-model-manager.cc
1185 (region_model_manager::maybe_fold_sub_svalue): Generalize getting
1186 individual chars of a STRING_CST from element_region to any
1187 subregion which is a concrete access of a single byte from its
1188 parent region.
1189 * region.cc (region::get_relative_concrete_byte_range): New.
1190 * region.h (region::get_relative_concrete_byte_range): New decl.
1191
3adf509f
GA		 11922022-02-09 David Malcolm <dmalcolm@redhat.com>
1193
1194 PR analyzer/104452
1195 * region-model.cc (selftest::test_bit_range_regions): New.
1196 (selftest::analyzer_region_model_cc_tests): Call it.
1197 * region.h (bit_range_region::key_t::hash): Fix hashing of m_bits
1198 to avoid using uninitialized data.
1199
cc2430c1
GA		 12002022-02-07 David Malcolm <dmalcolm@redhat.com>
1201
1202 PR analyzer/104417
1203 * sm-taint.cc (tainted_allocation_size::tainted_allocation_size):
1204 Remove overzealous assertion.
1205 (tainted_allocation_size::emit): Likewise.
1206 (region_model::check_dynamic_size_for_taint): Likewise.
1207
12082022-02-07 David Malcolm <dmalcolm@redhat.com>
1209
1210 PR analyzer/103872
1211 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
1212 Reimplement in terms of a get_store_value followed by a set_value.
1213
682ede39
GA		 12142022-02-03 David Malcolm <dmalcolm@redhat.com>
1215
1216 PR analyzer/104369
1217 * engine.cc (exploded_graph::process_node): Use the node for any
1218 diagnostics, avoiding ICE if a bifurcation update adds a
1219 saved_diagnostic, such as for a tainted realloc size.
1220 * region-model-impl-calls.cc
1221 (region_model::impl_call_realloc::success_no_move::update_model):
1222 Require the old pointer to be non-NULL to be able successfully
1223 grow in place. Use model->deref_rvalue rather than maybe_get_region
1224 to support the old pointer being symbolic.
1225 (region_model::impl_call_realloc::success_with_move::update_model):
1226 Likewise. Add a constraint that the new pointer != the old pointer.
1227 Use a sized_region when setting the value of the new region.
1228 Handle the case where we don't know the dynamic size of the old
1229 region by marking the new region as unknown.
1230 * sm-taint.cc (tainted_allocation_size::tainted_allocation_size):
1231 Update assertion to also allow for MEMSPACE_UNKNOWN.
1232 (tainted_allocation_size::emit): Likewise.
1233 (region_model::check_dynamic_size_for_taint): Likewise.
1234
12352022-02-03 David Malcolm <dmalcolm@redhat.com>
1236
1237 * region-model-impl-calls.cc (region_model::impl_call_calloc): Use
1238 a sized_region when calling zero_fill_region.
1239
88944e13
GA		 12402022-02-02 David Malcolm <dmalcolm@redhat.com>
1241
1242 * region-model.cc (region_model::on_return): Replace usage of
1243 copy_region with get_rvalue/set_value pair.
1244 (region_model::pop_frame): Likewise.
1245 (selftest::test_compound_assignment): Likewise.
1246 * region-model.h (region_model::copy_region): Delete decl.
1247 * region.cc (region_model::copy_region): Delete.
1248
12492022-02-02 David Malcolm <dmalcolm@redhat.com>
1250
1251 * region.cc (region::calc_offset): Consolidate effectively
1252 identical cases.
1253
12542022-02-02 David Malcolm <dmalcolm@redhat.com>
1255
1256 * analyzer.h (class bit_range_region): New forward decl.
1257 * region-model-manager.cc (region_model_manager::get_bit_range):
1258 New.
1259 (region_model_manager::log_stats): Handle m_bit_range_regions.
1260 * region-model.cc (region_model::get_lvalue_1): Handle
1261 BIT_FIELD_REF.
1262 * region-model.h (region_model_manager::get_bit_range): New decl.
1263 (region_model_manager::m_bit_range_regions): New field.
1264 * region.cc (region::get_base_region): Handle RK_BIT_RANGE.
1265 (region::base_region_p): Likewise.
1266 (region::calc_offset): Likewise.
1267 (bit_range_region::dump_to_pp): New.
1268 (bit_range_region::get_byte_size): New.
1269 (bit_range_region::get_bit_size): New.
1270 (bit_range_region::get_byte_size_sval): New.
1271 (bit_range_region::get_relative_concrete_offset): New.
1272 * region.h (enum region_kind): Add RK_BIT_RANGE.
1273 (region::dyn_cast_bit_range_region): New vfunc.
1274 (class bit_range_region): New.
1275 (is_a_helper <const bit_range_region *>::test): New.
1276 (default_hash_traits<bit_range_region::key_t>): New.
1277
12782022-02-02 David Malcolm <dmalcolm@redhat.com>
1279
1280 PR analyzer/104270
1281 * region-model.cc (region_model::on_call_pre): Handle
1282 IFN_DEFERRED_INIT.
1283
99f17e99
GA		 12842022-01-27 David Malcolm <dmalcolm@redhat.com>
1285
1286 * checker-path.cc (event_kind_to_string): Handle
1287 EK_REGION_CREATION.
1288 (region_creation_event::region_creation_event): New.
1289 (region_creation_event::get_desc): New.
1290 (checker_path::add_region_creation_event): New.
1291 * checker-path.h (enum event_kind): Add EK_REGION_CREATION.
1292 (class region_creation_event): New subclass.
1293 (checker_path::add_region_creation_event): New decl.
1294 * diagnostic-manager.cc
1295 (diagnostic_manager::emit_saved_diagnostic): Pass NULL for new
1296 param to add_events_for_eedge when handling trailing eedge.
1297 (diagnostic_manager::build_emission_path): Create an interesting_t
1298 instance, allow the pending diagnostic to populate it, and pass it
1299 to the calls to add_events_for_eedge.
1300 (diagnostic_manager::add_events_for_eedge): Add "interest" param.
1301 Use it to add region_creation_events for on-stack regions created
1302 within at function entry, and when pertinent dynamically-sized
1303 regions are created.
1304 (diagnostic_manager::prune_for_sm_diagnostic): Add case for
1305 EK_REGION_CREATION.
1306 * diagnostic-manager.h (diagnostic_manager::add_events_for_eedge):
1307 Add "interest" param.
1308 * pending-diagnostic.cc: Include "selftest.h", "tristate.h",
1309 "analyzer/call-string.h", "analyzer/program-point.h",
1310 "analyzer/store.h", and "analyzer/region-model.h".
1311 (interesting_t::add_region_creation): New.
1312 (interesting_t::dump_to_pp): New.
1313 * pending-diagnostic.h (struct interesting_t): New.
1314 (pending_diagnostic::mark_interesting_stuff): New vfunc.
1315 * region-model.cc
1316 (poisoned_value_diagnostic::poisoned_value_diagnostic): Add
1317 (poisoned_value_diagnostic::operator==): Compare m_pkind and
1318 m_src_region fields.
1319 (poisoned_value_diagnostic::mark_interesting_stuff): New.
1320 (poisoned_value_diagnostic::m_src_region): New.
1321 (region_model::check_for_poison): Call
1322 get_region_for_poisoned_expr for uninit values and pass the resul
1323 to the diagnostic.
1324 (region_model::get_region_for_poisoned_expr): New.
1325 (region_model::deref_rvalue): Pass NULL for
1326 poisoned_value_diagnostic's src_region.
1327 * region-model.h (region_model::get_region_for_poisoned_expr): New
1328 decl.
1329 * region.h (frame_region::get_fndecl): New.
1330
13312022-01-27 Martin Liska <mliska@suse.cz>
1332
1333 PR analyzer/104247
1334 * constraint-manager.cc (bounded_ranges_manager::log_stats):
1335 Cast to long for format purpose.
1336 * region-model-manager.cc (log_uniq_map): Likewise.
1337
eaa59070
GA		 13382022-01-26 David Malcolm <dmalcolm@redhat.com>
1339
1340 PR analyzer/104224
1341 * region-model.cc (region_model::check_call_args): New.
1342 (region_model::on_call_pre): Call it when ignoring stdio builtins.
1343 * region-model.h (region_model::check_call_args): New decl
1344
13452022-01-26 David Malcolm <dmalcolm@redhat.com>
1346
1347 PR analyzer/94362
1348 * constraint-manager.cc (range::add_bound): Fix tests for
1349 discarding redundant constraints. Perform test for rejecting
1350 unsatisfiable constraints earlier so that they don't update
1351 the object on failure.
1352 (selftest::test_range): New.
1353 (selftest::test_constant_comparisons): Add test coverage for
1354 existing constraints becoming narrower until they are
1355 unsatisfiable.
1356 (selftest::run_constraint_manager_tests): Call test_range.
1357
d43be9dc
GA		 13582022-01-22 David Malcolm <dmalcolm@redhat.com>
1359
1360 PR analyzer/104159
1361 * region-model-manager.cc
1362 (region_model_manager::get_or_create_cast): Bail out if the types
1363 are the same. Don't attempt to handle casts involving vector
1364 types.
1365
5fa55d55
GA		 13662022-01-20 David Malcolm <dmalcolm@redhat.com>
1367
1368 PR analyzer/94362
1369 * constraint-manager.cc (bound::ensure_closed): Convert param to
1370 enum bound_kind.
1371 (range::constrained_to_single_element): Likewise.
1372 (range::add_bound): New.
1373 (constraint_manager::add_constraint): Handle SVAL + OFFSET
1374 compared to a constant.
1375 (constraint_manager::get_ec_bounds): Rewrite in terms of
1376 range::add_bound.
1377 (constraint_manager::eval_condition): Reject if range::add_bound
1378 fails.
1379 (selftest::test_constant_comparisons): Add test coverage for
1380 various impossible combinations of integer comparisons.
1381 * constraint-manager.h (enum bound_kind): New.
1382 (struct bound): Likewise.
1383 (bound::ensure_closed): Convert to param to enum bound_kind.
1384 (struct range): Convert to...
1385 (class range): ...this, making fields private.
1386 (range::add_bound): New decls.
1387 * region-model.cc (region_model::add_constraint): Fail if
1388 constraint_manager::add_constraint fails.
1389
7a761ae6
GA		 13902022-01-18 David Malcolm <dmalcolm@redhat.com>
1391
1392 PR analyzer/104089
1393 * region-model-manager.cc
1394 (region_model_manager::get_or_create_constant_svalue): Assert that
1395 we have a CONSTANT_CLASS_P.
1396 (region_model_manager::maybe_fold_unaryop): Only fold a constant
1397 when fold_unary's result is a constant or a cast of a constant.
1398
13992022-01-18 David Malcolm <dmalcolm@redhat.com>
1400
1401 PR analyzer/104062
1402 * region-model-manager.cc
1403 (region_model_manager::maybe_fold_sub_svalue): Avoid casting to
1404 NULL type when folding access to repeated svalue.
1405
fc829782
GA		 14062022-01-17 Martin Liska <mliska@suse.cz>
1407
1408 * analyzer.cc (is_special_named_call_p): Rename .c names to .cc.
1409 (is_named_call_p): Likewise.
1410 * region-model-asm.cc (deterministic_p): Likewise.
1411 * region.cc (field_region::get_relative_concrete_offset): Likewise.
1412 * sm-malloc.cc (method_p): Likewise.
1413 * supergraph.cc (superedge::dump_dot): Likewise.
1414
617db51d
GA		 14152022-01-14 David Malcolm <dmalcolm@redhat.com>
1416
1417 * sm-taint.cc (taint_state_machine::combine_states): Handle combination
1418 of has_ub and has_lb.
1419
14202022-01-14 David Malcolm <dmalcolm@redhat.com>
1421
1422 PR analyzer/104029
1423 * sm-taint.cc (taint_state_machine::alt_get_inherited_state):
1424 Remove gcc_unreachable from default case for unary ops.
1425
14262022-01-14 David Malcolm <dmalcolm@redhat.com>
1427
1428 * engine.cc: Include "stringpool.h", "attribs.h", and
1429 "tree-dfa.h".
1430 (mark_params_as_tainted): New.
1431 (class tainted_args_function_custom_event): New.
1432 (class tainted_args_function_info): New.
1433 (exploded_graph::add_function_entry): Handle functions with
1434 "tainted_args" attribute.
1435 (class tainted_args_field_custom_event): New.
1436 (class tainted_args_callback_custom_event): New.
1437 (class tainted_args_call_info): New.
1438 (add_tainted_args_callback): New.
1439 (add_any_callbacks): New.
1440 (exploded_graph::build_initial_worklist): Likewise.
1441 (exploded_graph::build_initial_worklist): Find callbacks that are
1442 reachable from global initializers, calling add_any_callbacks on
1443 them.
1444
02a8a01b
GA		 14452022-01-12 David Malcolm <dmalcolm@redhat.com>
1446
1447 PR analyzer/103940
1448 * engine.cc (impl_sm_context::impl_sm_context): Add
1449 "unknown_side_effects" param and use it to initialize
1450 new m_unknown_side_effects field.
1451 (impl_sm_context::unknown_side_effects_p): New.
1452 (impl_sm_context::m_unknown_side_effects): New.
1453 (exploded_node::on_stmt): Pass unknown_side_effects to sm_ctxt
1454 ctor.
1455 * sm-taint.cc: Include "stringpool.h" and "attribs.h".
1456 (tainted_size::tainted_size): Drop "dir" param.
1457 (tainted_size::get_kind): Drop "FINAL".
1458 (tainted_size::emit): Likewise.
1459 (tainted_size::m_dir): Drop unused field.
1460 (class tainted_access_attrib_size): New subclass.
1461 (taint_state_machine::on_stmt): Call check_for_tainted_size_arg on
1462 external functions with unknown side effects.
1463 (taint_state_machine::check_for_tainted_size_arg): New.
1464 (region_model::check_region_for_taint): Drop "dir" param from
1465 tainted_size ctor.
1466 * sm.h (sm_context::unknown_side_effects_p): New.
1467
01a254e3
GA		 14682022-01-11 David Malcolm <dmalcolm@redhat.com>
1469
1470 PR analyzer/102692
1471 * diagnostic-manager.cc
1472 (class auto_disable_complexity_checks): Rename to...
1473 (class auto_checking_feasibility): ...this, updating
1474 the calls accordingly.
1475 (epath_finder::explore_feasible_paths): Update for renaming.
1476 * region-model-manager.cc
1477 (region_model_manager::region_model_manager): Update for change from
1478 m_check_complexity to m_checking_feasibility.
1479 (region_model_manager::reject_if_too_complex): Likewise.
1480 (region_model_manager::get_or_create_unknown_svalue): Handle
1481 m_checking_feasibility.
1482 (region_model_manager::create_unique_svalue): New.
1483 (region_model_manager::maybe_fold_binop): Handle BIT_AND_EXPR and
1484 BIT_IOR_EXPRs on booleans where we know the result.
1485 * region-model.cc (test_binop_svalue_folding): Add test coverage
1486 for the above.
1487 * region-model.h (region_model_manager::create_unique_svalue): New
1488 decl.
1489 (region_model_manager::enable_complexity_check): Replace with...
1490 (region_model_manager::begin_checking_feasibility): ...this.
1491 (region_model_manager::disable_complexity_check): Replace with...
1492 (region_model_manager::end_checking_feasibility): ...this.
1493 (region_model_manager::m_check_complexity): Replace with...
1494 (region_model_manager::m_checking_feasibility): ...this.
1495 (region_model_manager::m_managed_dynamic_svalues): New field.
1496
55e96bf9
GA		 14972022-01-08 David Malcolm <dmalcolm@redhat.com>
1498
1499 * engine.cc (impl_run_checkers): Pass logger to engine ctor.
1500 * region-model-manager.cc
1501 (region_model_manager::region_model_manager): Add logger param and
1502 use it to initialize m_logger.
1503 * region-model.cc (engine::engine): New.
1504 * region-model.h (region_model_manager::region_model_manager):
1505 Add logger param.
1506 (region_model_manager::get_logger): New.
1507 (region_model_manager::m_logger): New field.
1508 (engine::engine): New.
1509 * store.cc (store_manager::get_logger): New.
1510 (store::set_value): Log scope. Log when marking a cluster as
1511 unknown due to possible aliasing.
1512 * store.h (store_manager::get_logger): New decl.
1513
15142022-01-08 David Malcolm <dmalcolm@redhat.com>
1515
1516 * region-model-impl-calls.cc (cmp_decls): New.
1517 (cmp_decls_ptr_ptr): New.
1518 (region_model::impl_call_analyzer_dump_escaped): New.
1519 * region-model.cc (region_model::on_stmt_pre): Handle
1520 __analyzer_dump_escaped.
1521 * region-model.h (region_model::impl_call_analyzer_dump_escaped):
1522 New decl.
1523 * store.h (binding_cluster::get_base_region): New accessor.
1524
15252022-01-08 David Malcolm <dmalcolm@redhat.com>
1526
1527 * region.cc (region::is_named_decl_p): New.
1528 * region.h (region::is_named_decl_p): New decl.
1529
11ce8d04
GA		 15302022-01-06 David Malcolm <dmalcolm@redhat.com>
1531
1532 PR analyzer/103546
1533 * store.cc (store::eval_alias_1): Refactor handling of decl
1534 regions, adding a test for may_be_aliased, rejecting those for
1535 which it returns false.
1536
c8dcf64b
GA		 15372021-12-12 Jonathan Wakely <jwakely@redhat.com>
1538
1539 * engine.cc: Define INCLUDE_MEMORY instead of INCLUDE_UNIQUE_PTR.
1540
3a580f96
GA		 15412021-12-06 David Malcolm <dmalcolm@redhat.com>
1542
1543 PR analyzer/103533
1544 * constraint-manager.cc (equiv_class::contains_non_constant_p):
1545 New.
1546 (constraint_manager::canonicalize): Call it when determining
1547 redundant ECs.
1548 (selftest::test_purging): New selftest.
1549 (selftest::run_constraint_manager_tests): Likewise.
1550 * constraint-manager.h (equiv_class::contains_non_constant_p):
1551 New decl.
1552
40fa651e
GA		 15532021-12-01 David Malcolm <dmalcolm@redhat.com>
1554
1555 PR analyzer/102471
1556 * region-model-reachability.cc (reachable_regions::handle_parm):
1557 Treat all svalues within a compound parm has reachable, and those
1558 wrapped in a cast.
1559
87cd82c8
GA		 15602021-11-29 David Malcolm <dmalcolm@redhat.com>
1561
1562 PR analyzer/103217
1563 * store.cc (binding_cluster::can_merge_p): For the "key is bound"
1564 vs "key is not bound" merger case, check that the bound svalue
1565 is mergeable before merging it to "unknown", rejecting the merger
1566 otherwise.
1567
9c077398
GA		 15682021-11-19 David Malcolm <dmalcolm@redhat.com>
1569
1570 PR analyzer/103217
1571 * engine.cc (exploded_graph::get_or_create_node): Pass in
1572 m_ext_state to program_state::can_merge_with_p.
1573 (exploded_graph::process_worklist): Likewise.
1574 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
1575 Likewise.
1576 (exploded_graph::process_node): Add missing call to detect_leaks
1577 when handling phi nodes.
1578 * program-state.cc (program_state::can_merge_with_p): Add
1579 "ext_state" param. Pass it and state ptrs to
1580 region_model::can_merge_with_p.
1581 (selftest::test_program_state_merging): Update for new ext_state
1582 param of program_state::can_merge_with_p.
1583 (selftest::test_program_state_merging_2): Likewise.
1584 * program-state.h (program_state::can_purge_p): Make const.
1585 (program_state::can_merge_with_p): Add "ext_state" param.
1586 * region-model.cc: Include "analyzer/program-state.h".
1587 (region_model::can_merge_with_p): Add params "ext_state",
1588 "state_a", and "state_b", use them when creating model_merger
1589 object.
1590 (model_merger::mergeable_svalue_p): New.
1591 * region-model.h (region_model::can_merge_with_p): Add params
1592 "ext_state", "state_a", and "state_b".
1593 (model_merger::model_merger) Likewise, initializing new fields.
1594 (model_merger::mergeable_svalue_p): New decl.
1595 (model_merger::m_ext_state): New field.
1596 (model_merger::m_state_a): New field.
1597 (model_merger::m_state_b): New field.
1598 * svalue.cc (svalue::can_merge_p): Call
1599 model_merger::mergeable_svalue_p on both states and reject the
1600 merger accordingly.
1601
280d2838
GA		 16022021-11-17 David Malcolm <dmalcolm@redhat.com>
1603
1604 PR analyzer/102695
1605 * region-model-impl-calls.cc (region_model::impl_call_strchr): New.
1606 * region-model-manager.cc
1607 (region_model_manager::maybe_fold_unaryop): Simplify cast to
1608 pointer type of an existing pointer to a region.
1609 * region-model.cc (region_model::on_call_pre): Handle
1610 BUILT_IN_STRCHR and "strchr".
1611 (write_to_const_diagnostic::emit): Add auto_diagnostic_group. Add
1612 alternate wordings for functions and labels.
1613 (write_to_const_diagnostic::describe_final_event): Add alternate
1614 wordings for functions and labels.
1615 (region_model::check_for_writable_region): Handle RK_FUNCTION and
1616 RK_LABEL.
1617 * region-model.h (region_model::impl_call_strchr): New decl.
1618
6b1695f4
GA		 16192021-11-16 David Malcolm <dmalcolm@redhat.com>
1620
1621 PR analyzer/102662
1622 * constraint-manager.cc (bounded_range::operator==): Require the
1623 types to be the same for equality.
1624
a8029add
GA		 16252021-11-13 David Malcolm <dmalcolm@redhat.com>
1626
1627 * analyzer.opt (Wanalyzer-tainted-allocation-size): New.
1628 (Wanalyzer-tainted-divisor): New.
1629 (Wanalyzer-tainted-offset): New.
1630 (Wanalyzer-tainted-size): New.
1631 * engine.cc (impl_region_model_context::get_taint_map): New.
1632 * exploded-graph.h (impl_region_model_context::get_taint_map):
1633 New decl.
1634 * program-state.cc (sm_state_map::get_state): Call
1635 alt_get_inherited_state.
1636 (sm_state_map::impl_set_state): Modify states within
1637 compound svalues.
1638 (program_state::impl_call_analyzer_dump_state): Undo casts.
1639 (selftest::test_program_state_1): Update for new context param of
1640 create_region_for_heap_alloc.
1641 (selftest::test_program_state_merging): Likewise.
1642 * region-model-impl-calls.cc (region_model::impl_call_alloca):
1643 Likewise.
1644 (region_model::impl_call_calloc): Likewise.
1645 (region_model::impl_call_malloc): Likewise.
1646 (region_model::impl_call_operator_new): Likewise.
1647 (region_model::impl_call_realloc): Likewise.
1648 * region-model.cc (region_model::check_region_access): Call
1649 check_region_for_taint.
1650 (region_model::get_representative_path_var_1): Handle binops.
1651 (region_model::create_region_for_heap_alloc): Add "ctxt" param and
1652 pass it to set_dynamic_extents.
1653 (region_model::create_region_for_alloca): Likewise.
1654 (region_model::set_dynamic_extents): Add "ctxt" param and use it
1655 to call check_dynamic_size_for_taint.
1656 (selftest::test_state_merging): Update for new context param of
1657 create_region_for_heap_alloc.
1658 (selftest::test_malloc_constraints): Likewise.
1659 (selftest::test_malloc): Likewise.
1660 (selftest::test_alloca): Likewise for create_region_for_alloca.
1661 * region-model.h (region_model::create_region_for_heap_alloc): Add
1662 "ctxt" param.
1663 (region_model::create_region_for_alloca): Likewise.
1664 (region_model::set_dynamic_extents): Likewise.
1665 (region_model::check_dynamic_size_for_taint): New decl.
1666 (region_model::check_region_for_taint): New decl.
1667 (region_model_context::get_taint_map): New vfunc.
1668 (noop_region_model_context::get_taint_map): New.
1669 * sm-taint.cc: Remove include of "diagnostic-event-id.h"; add
1670 includes of "gimple-iterator.h", "tristate.h", "selftest.h",
1671 "ordered-hash-map.h", "cgraph.h", "cfg.h", "digraph.h",
1672 "analyzer/supergraph.h", "analyzer/call-string.h",
1673 "analyzer/program-point.h", "analyzer/store.h",
1674 "analyzer/region-model.h", and "analyzer/program-state.h".
1675 (enum bounds): Move to top of file.
1676 (class taint_diagnostic): New.
1677 (class tainted_array_index): Convert to subclass of taint_diagnostic.
1678 (tainted_array_index::emit): Add CWE-129. Reword warning to use
1679 "attacker-controlled" rather than "tainted".
1680 (tainted_array_index::describe_state_change): Move to
1681 taint_diagnostic::describe_state_change.
1682 (tainted_array_index::describe_final_event): Reword to use
1683 "attacker-controlled" rather than "tainted".
1684 (class tainted_offset): New.
1685 (class tainted_size): New.
1686 (class tainted_divisor): New.
1687 (class tainted_allocation_size): New.
1688 (taint_state_machine::alt_get_inherited_state): New.
1689 (taint_state_machine::on_stmt): In assignment handling, remove
1690 ARRAY_REF handling in favor of check_region_for_taint. Add
1691 detection of tainted divisors.
1692 (taint_state_machine::get_taint): New.
1693 (taint_state_machine::combine_states): New.
1694 (region_model::check_region_for_taint): New.
1695 (region_model::check_dynamic_size_for_taint): New.
1696 * sm.h (state_machine::alt_get_inherited_state): New.
1697
af2852b9
GA		 16982021-11-12 David Malcolm <dmalcolm@redhat.com>
1699
1700 * engine.cc (exploded_node::on_stmt_pre): Return when handling
1701 "__analyzer_dump_state".
1702
b39265d4
GA		 17032021-11-11 Richard Biener <rguenther@suse.de>
1704
1705 * supergraph.cc: Include bitmap.h.
1706
29a1af24
GA		 17072021-11-04 David Malcolm <dmalcolm@redhat.com>
1708
1709 * program-state.cc (sm_state_map::dump): Use default_tree_printer
1710 as format decoder.
1711
e19570d3
GA		 17122021-09-16 Maxim Blinov <maxim.blinov@embecosm.com>
1713
1714 PR bootstrap/102242
1715 * engine.cc (INCLUDE_UNIQUE_PTR): Define.
1716
b6db7cd4
GA		 17172021-09-08 David Malcolm <dmalcolm@redhat.com>
1718
1719 PR analyzer/102225
1720 * analyzer.h (compat_types_p): New decl.
1721 * constraint-manager.cc
1722 (constraint_manager::get_or_add_equiv_class): Guard against NULL
1723 type when checking for pointer types.
1724 * region-model-impl-calls.cc (region_model::impl_call_realloc):
1725 Guard against NULL lhs type/region. Guard against the size value
1726 not being of a compatible type for dynamic extents.
1727 * region-model.cc (compat_types_p): Make non-static.
1728
1e2f030b
GA		 17292021-08-30 David Malcolm <dmalcolm@redhat.com>
1730
1731 PR analyzer/99260
1732 * analyzer.h (class custom_edge_info): New class, adapted from
1733 exploded_edge::custom_info_t. Make member functions const.
1734 Make update_model return bool, converting edge param from
1735 reference to a pointer, and adding a ctxt param.
1736 (class path_context): New class.
1737 * call-info.cc: New file.
1738 * call-info.h: New file.
1739 * engine.cc: Include "analyzer/call-info.h" and <memory>.
1740 (impl_region_model_context::impl_region_model_context): Update for
1741 new m_path_ctxt field.
1742 (impl_region_model_context::bifurcate): New.
1743 (impl_region_model_context::terminate_path): New.
1744 (impl_region_model_context::get_malloc_map): New.
1745 (impl_sm_context::impl_sm_context): Update for new m_path_ctxt
1746 field.
1747 (impl_sm_context::get_fndecl_for_call): Likewise.
1748 (impl_sm_context::set_next_state): Likewise.
1749 (impl_sm_context::warn): Likewise.
1750 (impl_sm_context::is_zero_assignment): Likewise.
1751 (impl_sm_context::get_path_context): New.
1752 (impl_sm_context::m_path_ctxt): New.
1753 (impl_region_model_context::on_condition): Update for new
1754 path_ctxt param. Handle m_enode_for_diag being NULL.
1755 (impl_region_model_context::on_phi): Update for new path_ctxt
1756 param.
1757 (exploded_node::on_stmt): Add path_ctxt param, updating ctor calls
1758 to use it as necessary. Use it to bail out after sm-handling,
1759 if needed.
1760 (exploded_node::detect_leaks): Update for new path_ctxt param.
1761 (dynamic_call_info_t::update_model): Update for conversion of
1762 exploded_edge::custom_info_t to custom_edge_info.
1763 (dynamic_call_info_t::add_events_to_path): Likewise.
1764 (rewind_info_t::update_model): Likewise.
1765 (rewind_info_t::add_events_to_path): Likewise.
1766 (exploded_edge::exploded_edge): Likewise.
1767 (exploded_graph::add_edge): Likewise.
1768 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
1769 Update for new path_ctxt param.
1770 (class impl_path_context): New.
1771 (exploded_graph::process_node): Update for new path_ctxt param.
1772 Create an impl_path_context and pass it to exploded_node::on_stmt.
1773 Use it to terminate iterating stmts if terminate_path is called
1774 on it. After processing a run of stmts, query path_ctxt to
1775 potentially terminate the analysis path, and/or to "bifurcate" the
1776 analysis into multiple additional paths.
1777 (feasibility_state::maybe_update_for_edge): Update for new
1778 update_model ctxt param.
1779 * exploded-graph.h
1780 (impl_region_model_context::impl_region_model_context): Add
1781 path_ctxt param.
1782 (impl_region_model_context::bifurcate): New.
1783 (impl_region_model_context::terminate_path): New
1784 (impl_region_model_context::get_ext_state): New.
1785 (impl_region_model_context::get_malloc_map): New.
1786 (impl_region_model_context::m_path_ctxt): New field.
1787 (exploded_node::on_stmt): Add path_ctxt param.
1788 (class exploded_edge::custom_info_t): Move to analyzer.h, renaming
1789 to custom_edge_info, and making the changes as noted in analyzer.h
1790 above.
1791 (exploded_edge::exploded_edge): Update for these changes to
1792 exploded_edge::custom_info_t.
1793 (exploded_edge::m_custom_info): Likewise.
1794 (class dynamic_call_info_t): Likewise.
1795 (class rewind_info_t): Likewise.
1796 (exploded_graph::add_edge): Likewise.
1797 * program-state.cc (program_state::on_edge): Update for new
1798 path_ctxt param.
1799 (program_state::push_call): Likewise.
1800 (program_state::returning_call): Likewise.
1801 (program_state::prune_for_point): Likewise.
1802 * region-model-impl-calls.cc: Include "analyzer/call-info.h".
1803 (call_details::get_fndecl_for_call): New.
1804 (region_model::impl_call_realloc): Reimplement.
1805 * region-model.cc (region_model::on_call_pre): Move call to
1806 impl_call_realloc to...
1807 (region_model::on_call_post): ...here. Consolidate creation
1808 of call_details instance.
1809 (noop_region_model_context::bifurcate): New.
1810 (noop_region_model_context::terminate_path): New.
1811 * region-model.h (call_details::get_call_stmt): New.
1812 (call_details::get_fndecl_for_call): New.
1813 (region_model::on_realloc_with_move): New.
1814 (region_model_context::bifurcate): New.
1815 (region_model_context::terminate_path): New.
1816 (region_model_context::get_ext_state): New.
1817 (region_model_context::get_malloc_map): New.
1818 (noop_region_model_context::bifurcate): New.
1819 (noop_region_model_context::terminate_path): New.
1820 (noop_region_model_context::get_ext_state): New.
1821 (noop_region_model_context::get_malloc_map): New.
1822 * sm-malloc.cc: Include "analyzer/program-state.h".
1823 (malloc_state_machine::on_realloc_call): Reimplement.
1824 (malloc_state_machine::on_realloc_with_move): New.
1825 (region_model::on_realloc_with_move): New.
1826 * sm-signal.cc (class signal_delivery_edge_info_t): Update for
1827 conversion from exploded_edge::custom_info_t to custom_edge_info.
1828 * sm.h (sm_context::get_path_context): New.
1829 * svalue.cc (svalue::maybe_get_constant): Call
1830 unwrap_any_unmergeable.
1831
85d77ac4
GA		 18322021-08-25 Ankur Saini <arsenic@sourceware.org>
1833
1834 PR analyzer/101980
1835 * engine.cc (exploded_graph::maybe_create_dynamic_call): Don't create
1836 calls if max recursion limit is reached.
1837
38b19c5b
GA		 18382021-08-23 David Malcolm <dmalcolm@redhat.com>
1839
1840 * analyzer.h (struct rejected_constraint): Convert to...
1841 (class rejected_constraint): ...this.
1842 (class bounded_ranges): New forward decl.
1843 (class bounded_ranges_manager): New forward decl.
1844 * constraint-manager.cc: Include "analyzer/analyzer-logging.h" and
1845 "tree-pretty-print.h".
1846 (can_plus_one_p): New.
1847 (plus_one): New.
1848 (can_minus_one_p): New.
1849 (minus_one): New.
1850 (bounded_range::bounded_range): New.
1851 (dump_cst): New.
1852 (bounded_range::dump_to_pp): New.
1853 (bounded_range::dump): New.
1854 (bounded_range::to_json): New.
1855 (bounded_range::set_json_attr): New.
1856 (bounded_range::contains_p): New.
1857 (bounded_range::intersects_p): New.
1858 (bounded_range::operator==): New.
1859 (bounded_range::cmp): New.
1860 (bounded_ranges::bounded_ranges): New.
1861 (bounded_ranges::bounded_ranges): New.
1862 (bounded_ranges::bounded_ranges): New.
1863 (bounded_ranges::canonicalize): New.
1864 (bounded_ranges::validate): New.
1865 (bounded_ranges::operator==): New.
1866 (bounded_ranges::dump_to_pp): New.
1867 (bounded_ranges::dump): New.
1868 (bounded_ranges::to_json): New.
1869 (bounded_ranges::eval_condition): New.
1870 (bounded_ranges::contain_p): New.
1871 (bounded_ranges::cmp): New.
1872 (bounded_ranges_manager::~bounded_ranges_manager): New.
1873 (bounded_ranges_manager::get_or_create_empty): New.
1874 (bounded_ranges_manager::get_or_create_point): New.
1875 (bounded_ranges_manager::get_or_create_range): New.
1876 (bounded_ranges_manager::get_or_create_union): New.
1877 (bounded_ranges_manager::get_or_create_intersection): New.
1878 (bounded_ranges_manager::get_or_create_inverse): New.
1879 (bounded_ranges_manager::consolidate): New.
1880 (bounded_ranges_manager::get_or_create_ranges_for_switch): New.
1881 (bounded_ranges_manager::create_ranges_for_switch): New.
1882 (bounded_ranges_manager::make_case_label_ranges): New.
1883 (bounded_ranges_manager::log_stats): New.
1884 (bounded_ranges_constraint::print): New.
1885 (bounded_ranges_constraint::to_json): New.
1886 (bounded_ranges_constraint::operator==): New.
1887 (bounded_ranges_constraint::add_to_hash): New.
1888 (constraint_manager::constraint_manager): Update for new field
1889 m_bounded_ranges_constraints.
1890 (constraint_manager::operator=): Likewise.
1891 (constraint_manager::hash): Likewise.
1892 (constraint_manager::operator==): Likewise.
1893 (constraint_manager::print): Likewise.
1894 (constraint_manager::dump_to_pp): Likewise.
1895 (constraint_manager::to_json): Likewise.
1896 (constraint_manager::add_unknown_constraint): Update the lhs_ec_id
1897 if necessary in existing constraints when combining equivalence
1898 classes. Add similar code for handling
1899 m_bounded_ranges_constraints.
1900 (constraint_manager::add_constraint_internal): Add comment.
1901 (constraint_manager::add_bounded_ranges): New.
1902 (constraint_manager::eval_condition): Use new field
1903 m_bounded_ranges_constraints.
1904 (constraint_manager::purge): Update bounded_ranges_constraint
1905 instances.
1906 (constraint_manager::canonicalize): Update for new field.
1907 (merger_fact_visitor::on_ranges): New.
1908 (constraint_manager::for_each_fact): Use new field
1909 m_bounded_ranges_constraints.
1910 (constraint_manager::validate): Fix off-by-one error needed due
1911 to bug fixed above in add_unknown_constraint. Validate the EC IDs
1912 in m_bounded_ranges_constraints.
1913 (constraint_manager::get_range_manager): New.
1914 (selftest::assert_dump_bounded_range_eq): New.
1915 (ASSERT_DUMP_BOUNDED_RANGE_EQ): New.
1916 (selftest::test_bounded_range): New.
1917 (selftest::assert_dump_bounded_ranges_eq): New.
1918 (ASSERT_DUMP_BOUNDED_RANGES_EQ): New.
1919 (selftest::test_bounded_ranges): New.
1920 (selftest::run_constraint_manager_tests): Call the new selftests.
1921 * constraint-manager.h (struct bounded_range): New.
1922 (struct bounded_ranges): New.
1923 (template <> struct default_hash_traits<bounded_ranges::key_t>): New.
1924 (class bounded_ranges_manager): New.
1925 (fact_visitor::on_ranges): New pure virtual function.
1926 (class bounded_ranges_constraint): New.
1927 (constraint_manager::add_bounded_ranges): New decl.
1928 (constraint_manager::get_range_manager): New decl.
1929 (constraint_manager::m_bounded_ranges_constraints): New field.
1930 * diagnostic-manager.cc (epath_finder::process_worklist_item):
1931 Transfer ownership of rc to add_feasibility_problem.
1932 * engine.cc (feasibility_problem::dump_to_pp): Use get_model.
1933 * feasible-graph.cc (infeasible_node::dump_dot): Update for
1934 conversion of m_rc to a pointer.
1935 (feasible_graph::add_feasibility_problem): Pass RC by pointer and
1936 take ownership.
1937 * feasible-graph.h (infeasible_node::infeasible_node): Pass RC by
1938 pointer and take ownership.
1939 (infeasible_node::~infeasible_node): New.
1940 (infeasible_node::m_rc): Convert to a pointer.
1941 (feasible_graph::add_feasibility_problem): Pass RC by pointer and
1942 take ownership.
1943 * region-model-manager.cc: Include
1944 "analyzer/constraint-manager.h".
1945 (region_model_manager::region_model_manager): Initializer new
1946 field m_range_mgr.
1947 (region_model_manager::~region_model_manager): Delete it.
1948 (region_model_manager::log_stats): Call log_stats on it.
1949 * region-model.cc (region_model::add_constraint): Use new subclass
1950 rejected_op_constraint.
1951 (region_model::apply_constraints_for_gswitch): Reimplement using
1952 bounded_ranges_manager.
1953 (rejected_constraint::dump_to_pp): Convert to...
1954 (rejected_op_constraint::dump_to_pp): ...this.
1955 (rejected_ranges_constraint::dump_to_pp): New.
1956 * region-model.h (struct purge_stats): Add field
1957 m_num_bounded_ranges_constraints.
1958 (region_model_manager::get_range_manager): New.
1959 (region_model_manager::m_range_mgr): New.
1960 (region_model::get_range_manager): New.
1961 (struct rejected_constraint): Split into...
1962 (class rejected_constraint):...this new abstract base class,
1963 and...
1964 (class rejected_op_constraint): ...this new concrete subclass.
1965 (class rejected_ranges_constraint): New.
1966 * supergraph.cc: Include "tree-cfg.h".
1967 (supergraph::supergraph): Drop idx param from add_cfg_edge.
1968 (supergraph::add_cfg_edge): Drop idx param.
1969 (switch_cfg_superedge::switch_cfg_superedge): Move here from
1970 header. Populate m_case_labels with all cases which go to DST.
1971 (switch_cfg_superedge::dump_label_to_pp): Reimplement to use
1972 m_case_labels.
1973 (switch_cfg_superedge::get_case_label): Delete.
1974 * supergraph.h (supergraphadd_cfg_edge): Drop "idx" param.
1975 (switch_cfg_superedge::switch_cfg_superedge): Drop idx param and
1976 move implementation to supergraph.cc.
1977 (switch_cfg_superedge::get_case_label): Delete.
1978 (switch_cfg_superedge::get_case_labels): New.
1979 (switch_cfg_superedge::m_idx): Delete.
1980 (switch_cfg_superedge::m_case_labels): New field.
1981
19822021-08-23 David Malcolm <dmalcolm@redhat.com>
1983
1984 PR analyzer/101875
1985 * sm-file.cc (file_diagnostic::describe_state_change): Handle
1986 change.m_expr being NULL.
1987
19882021-08-23 David Malcolm <dmalcolm@redhat.com>
1989
1990 PR analyzer/101837
1991 * analyzer.cc (maybe_reconstruct_from_def_stmt): Bail if fn is
1992 NULL, and assert that it's non-NULL before passing it to
1993 build_call_array_loc.
1994
19952021-08-23 David Malcolm <dmalcolm@redhat.com>
1996
1997 PR analyzer/101962
1998 * region-model.cc (region_model::eval_condition_without_cm):
1999 Refactor comparison against zero, adding a check for
2000 POINTER_PLUS_EXPR of non-NULL.
2001
20022021-08-23 David Malcolm <dmalcolm@redhat.com>
2003
2004 * store.cc (bit_range::intersects_p): New overload.
2005 (bit_range::operator-): New.
2006 (binding_cluster::maybe_get_compound_binding): Handle the partial
2007 overlap case.
2008 (selftest::test_bit_range_intersects_p): Add test coverage for
2009 new overload of bit_range::intersects_p.
2010 * store.h (bit_range::intersects_p): New overload.
2011 (bit_range::operator-): New.
2012
20132021-08-23 Ankur Saini <arsenic@sourceware.org>
2014
2015 PR analyzer/102020
2016 * diagnostic-manager.cc
2017 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_CALL_EDGE>: Fix typo.
2018
4be4fa4e
GA		 20192021-08-21 Ankur Saini <arsenic@sourceware.org>
2020
2021 PR analyzer/101980
2022 * diagnostic-manager.cc
2023 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_CALL_EDGE>: Use
2024 caller_model only when the supergraph_edge doesn't exixt.
2025 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_RETURN_EDGE>:
2026 Likewise.
2027 * engine.cc (exploded_graph::create_dynamic_call): Rename to...
2028 (exploded_graph::maybe_create_dynamic_call): ...this, return call
2029 creation status.
2030 (exploded_graph::process_node): Handle calls which were not dynamically
2031 discovered.
2032 * exploded-graph.h (exploded_graph::create_dynamic_call): Rename to...
2033 (exploded_graph::maybe_create_dynamic_call): ...this.
2034 * region-model.cc (region_model::update_for_gcall): New param, use it
2035 to push call to frame.
2036 (region_model::update_for_call_superedge): Pass callee function to
2037 update_for_gcall.
2038 * region-model.h (region_model::update_for_gcall): New param.
2039
6e529985
GA		 20402021-08-18 Ankur Saini <arsenic@sourceware.org>
2041
2042 PR analyzer/97114
2043 * region-model.cc (region_model::get_rvalue_1): Add case for
2044 OBJ_TYPE_REF.
2045
20462021-08-18 Ankur Saini <arsenic@sourceware.org>
2047
2048 PR analyzer/100546
2049 * analysis-plan.cc (analysis_plan::use_summary_p): Don't use call
2050 summaries if there is no callgraph edge
2051 * checker-path.cc (call_event::call_event): Handle calls events that
2052 are not represented by a supergraph call edge
2053 (return_event::return_event): Likewise.
2054 (call_event::get_desc): Work with new call_event structure.
2055 (return_event::get_desc): Likeise.
2056 * checker-path.h (call_event::m_src_snode): New field.
2057 (call_event::m_dest_snode): New field.
2058 (return_event::m_src_snode): New field.
2059 (return_event::m_dest_snode): New field.
2060 * diagnostic-manager.cc
2061 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_CALL_EDGE>:
2062 Refactor to work with edges without callgraph edge.
2063 (diagnostic_manager::prune_for_sm_diagnostic)<case EK_RETURN_EDGE>:
2064 Likewise.
2065 * engine.cc (dynamic_call_info_t::update_model): New function.
2066 (dynamic_call_info_t::add_events_to_path): New function.
2067 (exploded_graph::create_dynamic_call): New function.
2068 (exploded_graph::process_node): Work with dynamically discovered calls.
2069 * exploded-graph.h (class dynamic_call_info_t): New class.
2070 (exploded_graph::create_dynamic_call): New decl.
2071 * program-point.cc (program_point::push_to_call_stack): New function.
2072 (program_point::pop_from_call_stack): New function.
2073 * program-point.h (program_point::push_to_call_stack): New decl.
2074 (program_point::pop_from_call_stack): New decl.
2075 * program-state.cc (program_state::push_call): New function.
2076 (program_state::returning_call): New function.
2077 * program-state.h (program_state::push_call): New decl.
2078 (program_state::returning_call): New decl.
2079 * region-model.cc (region_model::update_for_gcall) New function.
2080 (region_model::update_for_return_gcall): New function.
2081 (egion_model::update_for_call_superedge): Get the underlying gcall and
2082 update for gcall.
2083 (region_model::update_for_return_superedge): Likewise.
2084 * region-model.h (region_model::update_for_gcall): New decl.
2085 (region_model::update_for_return_gcall): New decl.
2086 * state-purge.cc (state_purge_per_ssa_name::process_point): Update to
2087 work with calls without underlying cgraph edge.
2088 * supergraph.cc (supergraph::supergraph) Split snodes at every callsite.
2089 * supergraph.h (supernode::get_returning_call) New accessor.
2090
2697f832
GA		 20912021-08-04 David Malcolm <dmalcolm@redhat.com>
2092
2093 PR analyzer/101570
2094 * analyzer.cc (maybe_reconstruct_from_def_stmt): Add GIMPLE_ASM
2095 case.
2096 * analyzer.h (class asm_output_svalue): New forward decl.
2097 (class reachable_regions): New forward decl.
2098 * complexity.cc (complexity::from_vec_svalue): New.
2099 * complexity.h (complexity::from_vec_svalue): New decl.
2100 * engine.cc (feasibility_state::maybe_update_for_edge): Handle
2101 asm stmts by calling on_asm_stmt.
2102 * region-model-asm.cc: New file.
2103 * region-model-manager.cc
2104 (region_model_manager::maybe_fold_asm_output_svalue): New.
2105 (region_model_manager::get_or_create_asm_output_svalue): New.
2106 (region_model_manager::log_stats): Log m_asm_output_values_map.
2107 * region-model.cc (region_model::on_stmt_pre): Handle GIMPLE_ASM.
2108 * region-model.h (visitor::visit_asm_output_svalue): New.
2109 (region_model_manager::get_or_create_asm_output_svalue): New decl.
2110 (region_model_manager::maybe_fold_asm_output_svalue): New decl.
2111 (region_model_manager::asm_output_values_map_t): New typedef.
2112 (region_model_manager::m_asm_output_values_map): New field.
2113 (region_model::on_asm_stmt): New.
2114 * store.cc (binding_cluster::on_asm): New.
2115 * store.h (binding_cluster::on_asm): New decl.
2116 * svalue.cc (svalue::cmp_ptr): Handle SK_ASM_OUTPUT.
2117 (asm_output_svalue::dump_to_pp): New.
2118 (asm_output_svalue::dump_input): New.
2119 (asm_output_svalue::input_idx_to_asm_idx): New.
2120 (asm_output_svalue::accept): New.
2121 * svalue.h (enum svalue_kind): Add SK_ASM_OUTPUT.
2122 (svalue::dyn_cast_asm_output_svalue): New.
2123 (class asm_output_svalue): New.
2124 (is_a_helper <const asm_output_svalue *>::test): New.
2125 (struct default_hash_traits<asm_output_svalue::key_t>): New.
2126
fa1407c7
GA		 21272021-08-03 Jakub Jelinek <jakub@redhat.com>
2128
2129 PR analyzer/101721
2130 * sm-malloc.cc (known_allocator_p): Only check DECL_FUNCTION_CODE on
2131 BUILT_IN_NORMAL builtins.
2132
4d17ca1b
GA		 21332021-07-29 Ankur Saini <arsenic@sourceware.org>
2134
2135 * call-string.cc (call_string::element_t::operator==): New operator.
2136 (call_String::element_t::operator!=): New operator.
2137 (call_string::element_t::get_caller_function): New function.
2138 (call_string::element_t::get_callee_function): New function.
2139 (call_string::call_string): Refactor to Initialise m_elements.
2140 (call_string::operator=): Refactor to work with m_elements.
2141 (call_string::operator==): Likewise.
2142 (call_string::to_json): Likewise.
2143 (call_string::hash): Refactor to hash e.m_caller.
2144 (call_string::push_call): Refactor to work with m_elements.
2145 (call_string::push_call): New overload to push call via supernodes.
2146 (call_string::pop): Refactor to work with m_elements.
2147 (call_string::calc_recursion_depth): Likewise.
2148 (call_string::cmp): Likewise.
2149 (call_string::validate): Likewise.
2150 (call_string::operator[]): Likewise.
2151 * call-string.h (class supernode): New forward decl.
2152 (struct call_string::element_t): New struct.
2153 (call_string::call_string): Refactor to initialise m_elements.
2154 (call_string::bool empty_p): Refactor to work with m_elements.
2155 (call_string::get_callee_node): New decl.
2156 (call_string::get_caller_node): New decl.
2157 (m_elements): Replaces m_return_edges.
2158 * program-point.cc (program_point::get_function_at_depth): Refactor to
2159 work with new call-string format.
2160 (program_point::validate): Likewise.
2161 (program_point::on_edge): Likewise.
2162
39169029
GA		 21632021-07-28 David Malcolm <dmalcolm@redhat.com>
2164
2165 * region-model.cc (region_model::on_call_pre): Treat
2166 IFN_UBSAN_BOUNDS, BUILT_IN_STACK_SAVE, and BUILT_IN_STACK_RESTORE
2167 as no-ops, rather than handling them as unknown functions.
2168
21692021-07-28 David Malcolm <dmalcolm@redhat.com>
2170
2171 * region-model-impl-calls.cc (region_model::impl_call_alloca):
2172 Drop redundant return value.
2173 (region_model::impl_call_builtin_expect): Likewise.
2174 (region_model::impl_call_calloc): Likewise.
2175 (region_model::impl_call_malloc): Likewise.
2176 (region_model::impl_call_memset): Likewise.
2177 (region_model::impl_call_operator_new): Likewise.
2178 (region_model::impl_call_operator_delete): Likewise.
2179 (region_model::impl_call_strlen): Likewise.
2180 * region-model.cc (region_model::on_call_pre): Fix return value of
2181 known functions that don't have unknown side-effects.
2182 * region-model.h (region_model::impl_call_alloca): Drop redundant
2183 return value.
2184 (region_model::impl_call_builtin_expect): Likewise.
2185 (region_model::impl_call_calloc): Likewise.
2186 (region_model::impl_call_malloc): Likewise.
2187 (region_model::impl_call_memset): Likewise.
2188 (region_model::impl_call_strlen): Likewise.
2189 (region_model::impl_call_operator_new): Likewise.
2190 (region_model::impl_call_operator_delete): Likewise.
2191
21922021-07-28 Siddhesh Poyarekar <siddhesh@gotplt.org>
2193
2194 * analyzer.cc (is_named_call_p, is_std_named_call_p): Make
2195 first argument a const_tree.
2196 * analyzer.h (is_named_call_p, -s_std_named_call_p): Likewise.
2197 * sm-malloc.cc (known_allocator_p): New function.
2198 (malloc_state_machine::on_stmt): Use it.
2199
22002021-07-28 Siddhesh Poyarekar <siddhesh@gotplt.org>
2201
2202 * sm-malloc.cc
2203 (malloc_state_machine::get_or_create_deallocator): Recognize
2204 __builtin_free.
2205
1a7febe9
GA		 22062021-07-26 David Malcolm <dmalcolm@redhat.com>
2207
2208 * region-model.cc (region_model::on_call_pre): Always set conjured
2209 LHS, not just for SSA names.
2210
ead235f6
GA		 22112021-07-23 David Malcolm <dmalcolm@redhat.com>
2212
2213 * diagnostic-manager.cc
2214 (class auto_disable_complexity_checks): New.
2215 (epath_finder::explore_feasible_paths): Use it to disable
2216 complexity checks whilst processing the worklist.
2217 * region-model-manager.cc
2218 (region_model_manager::region_model_manager): Initialize
2219 m_check_complexity.
2220 (region_model_manager::reject_if_too_complex): Bail if
2221 m_check_complexity is false.
2222 * region-model.h
2223 (region_model_manager::enable_complexity_check): New.
2224 (region_model_manager::disable_complexity_check): New.
2225 (region_model_manager::m_check_complexity): New.
2226
419c6c68
GA		 22272021-07-21 David Malcolm <dmalcolm@redhat.com>
2228
2229 PR analyzer/101547
2230 * sm-file.cc (file_leak::emit): Handle m_arg being NULL.
2231 (file_leak::describe_final_event): Handle ev.m_expr being NULL.
2232
22332021-07-21 David Malcolm <dmalcolm@redhat.com>
2234
2235 PR analyzer/101522
2236 * store.cc (binding_cluster::purge_state_involving): Don't change
2237 m_map whilst iterating through it.
2238
22392021-07-21 David Malcolm <dmalcolm@redhat.com>
2240
2241 * region-model.cc (region_model::handle_phi): Add "old_state"
2242 param and use it.
2243 (region_model::update_for_phis): Update so that all of the phi
2244 stmts are effectively handled simultaneously, rather than in
2245 order.
2246 * region-model.h (region_model::handle_phi): Add "old_state"
2247 param.
2248 * state-purge.cc (self_referential_phi_p): Replace with...
2249 (name_used_by_phis_p): ...this new function.
2250 (state_purge_per_ssa_name::process_point): Update to use the
2251 above, so that all phi stmts at a basic block are effectively
2252 considered simultaneously, and only consider the phi arguments for
2253 the pertinent in-edge.
2254 * supergraph.cc (cfg_superedge::get_phi_arg_idx): New.
2255 (cfg_superedge::get_phi_arg): Use the above.
2256 * supergraph.h (cfg_superedge::get_phi_arg_idx): New decl.
2257
22582021-07-21 David Malcolm <dmalcolm@redhat.com>
2259
2260 * state-purge.cc (state_purge_annotator::add_node_annotations):
2261 Rather than erroneously always using the NULL in-edge, determine
2262 each relevant in-edge, and print the appropriate data for each
2263 in-edge. Use print_needed to print the data as comma-separated
2264 lists of SSA names.
2265 (print_vec_of_names): Add "within_table" param and use it.
2266 (state_purge_annotator::add_stmt_annotations): Factor out
2267 collation and printing code into...
2268 (state_purge_annotator::print_needed): ...this new function.
2269 * state-purge.h (state_purge_annotator::print_needed): New decl.
2270
22712021-07-21 David Malcolm <dmalcolm@redhat.com>
2272
2273 * program-point.cc (function_point::print): Show src BB index at
2274 BEFORE_SUPERNODE.
2275
22762021-07-21 David Malcolm <dmalcolm@redhat.com>
2277
2278 * svalue.cc (infix_p): New.
2279 (binop_svalue::dump_to_pp): Use it to print MIN_EXPR and MAX_EXPR
2280 in prefix form, rather than infix.
2281
21ea2f93
GA		 22822021-07-19 David Malcolm <dmalcolm@redhat.com>
2283
2284 PR analyzer/101503
2285 * constraint-manager.cc (constraint_manager::add_constraint): Use
2286 can_have_associated_state_p rather than testing for unknown.
2287 (constraint_manager::get_or_add_equiv_class): Likewise.
2288 * program-state.cc (sm_state_map::set_state): Likewise.
2289 (sm_state_map::impl_set_state): Add assertion.
2290 * region-model-manager.cc
2291 (region_model_manager::maybe_fold_unaryop): Handle poisoned
2292 values.
2293 (region_model_manager::maybe_fold_binop): Move handling of unknown
2294 values...
2295 (region_model_manager::get_or_create_binop): ...to here, and
2296 generalize to use can_have_associated_state_p.
2297 (region_model_manager::maybe_fold_sub_svalue): Use
2298 can_have_associated_state_p rather than testing for unknown.
2299 (region_model_manager::maybe_fold_repeated_svalue): Use unknown
2300 when the size or repeated value is "unknown"/"poisoned".
2301 * region-model.cc (region_model::purge_state_involving): Reject
2302 attempts to purge unknown/poisoned svalues, as these svalues
2303 should not have state associated with them.
2304 * svalue.cc (sub_svalue::sub_svalue): Assert that we're building
2305 on top of an svalue with can_have_associated_state_p.
2306 (repeated_svalue::repeated_svalue): Likewise.
2307 (bits_within_svalue::bits_within_svalue): Likewise.
2308 * svalue.h (svalue::can_have_associated_state_p): New.
2309 (unknown_svalue::can_have_associated_state_p): New.
2310 (poisoned_svalue::can_have_associated_state_p): New.
2311 (unaryop_svalue::unaryop_svalue): Assert that we're building on
2312 top of an svalue with can_have_associated_state_p.
2313 (binop_svalue::binop_svalue): Likewise.
2314 (widening_svalue::widening_svalue): Likewise.
2315
87277b6a
GA		 23162021-07-16 David Malcolm <dmalcolm@redhat.com>
2317
2318 * analyzer.h (enum access_direction): New.
2319 * engine.cc (exploded_node::on_longjmp): Update for new param of
2320 get_store_value.
2321 * program-state.cc (program_state::prune_for_point): Likewise.
2322 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
2323 Replace call to check_for_writable_region with call to
2324 check_region_for_write.
2325 (region_model::impl_call_memset): Likewise.
2326 (region_model::impl_call_strcpy): Likewise.
2327 * region-model-reachability.cc (reachable_regions::add): Update
2328 for new param of get_store_value.
2329 * region-model.cc (region_model::get_rvalue_1): Likewise, also for
2330 get_rvalue_for_bits.
2331 (region_model::get_store_value): Add ctxt param and use it to call
2332 check_region_for_read.
2333 (region_model::get_rvalue_for_bits): Add ctxt param and use it to
2334 call get_store_value.
2335 (region_model::check_region_access): New.
2336 (region_model::check_region_for_write): New.
2337 (region_model::check_region_for_read): New.
2338 (region_model::set_value): Update comment. Replace call to
2339 check_for_writable_region with call to check_region_for_write.
2340 * region-model.h (region_model::get_rvalue_for_bits): Add ctxt
2341 param.
2342 (region_model::get_store_value): Add ctxt param.
2343 (region_model::check_region_access): New decl.
2344 (region_model::check_region_for_write): New decl.
2345 (region_model::check_region_for_read): New decl.
2346 * region.cc (region_model::copy_region): Update call to
2347 get_store_value.
2348 * svalue.cc (initial_svalue::implicitly_live_p): Likewise.
2349
23502021-07-16 David Malcolm <dmalcolm@redhat.com>
2351
2352 * engine.cc (exploded_node::on_stmt_pre): Handle
2353 __analyzer_dump_state.
2354 * program-state.cc (extrinsic_state::get_sm_idx_by_name): New.
2355 (program_state::impl_call_analyzer_dump_state): New.
2356 * program-state.h (extrinsic_state::get_sm_idx_by_name): New decl.
2357 (program_state::impl_call_analyzer_dump_state): New decl.
2358 * region-model-impl-calls.cc
2359 (call_details::get_arg_string_literal): New.
2360 * region-model.h (call_details::get_arg_string_literal): New decl.
2361
23622021-07-16 David Malcolm <dmalcolm@redhat.com>
2363
2364 * program-state.cc (program_state::detect_leaks): Simplify using
2365 svalue::maybe_get_region.
2366 * region-model-impl-calls.cc (region_model::impl_call_fgets): Likewise.
2367 (region_model::impl_call_fread): Likewise.
2368 (region_model::impl_call_free): Likewise.
2369 (region_model::impl_call_operator_delete): Likewise.
2370 * region-model.cc (selftest::test_stack_frames): Likewise.
2371 (selftest::test_state_merging): Likewise.
2372 * svalue.cc (svalue::maybe_get_region): New.
2373 * svalue.h (svalue::maybe_get_region): New decl.
2374
d97d71a1
GA		 23752021-07-15 David Malcolm <dmalcolm@redhat.com>
2376
2377 * svalue.h (is_a_helper <placeholder_svalue *>::test): Make
2378 param and template param const.
2379 (is_a_helper <widening_svalue *>::test): Likewise.
2380 (is_a_helper <compound_svalue *>::test): Likewise.
2381 (is_a_helper <conjured_svalue *>::test): Likewise.
2382
23832021-07-15 David Malcolm <dmalcolm@redhat.com>
2384
2385 PR analyzer/95006
2386 PR analyzer/94713
2387 PR analyzer/94714
2388 * analyzer.cc (maybe_reconstruct_from_def_stmt): Split out
2389 GIMPLE_ASSIGN case into...
2390 (get_diagnostic_tree_for_gassign_1): New.
2391 (get_diagnostic_tree_for_gassign): New.
2392 * analyzer.h (get_diagnostic_tree_for_gassign): New decl.
2393 * analyzer.opt (Wanalyzer-write-to-string-literal): New.
2394 * constraint-manager.cc (class svalue_purger): New.
2395 (constraint_manager::purge_state_involving): New.
2396 * constraint-manager.h
2397 (constraint_manager::purge_state_involving): New.
2398 * diagnostic-manager.cc (saved_diagnostic::supercedes_p): New.
2399 (dedupe_winners::handle_interactions): New.
2400 (diagnostic_manager::emit_saved_diagnostics): Call it.
2401 * diagnostic-manager.h (saved_diagnostic::supercedes_p): New decl.
2402 * engine.cc (impl_region_model_context::warn): Convert return type
2403 to bool. Return false if the diagnostic isn't saved.
2404 (impl_region_model_context::purge_state_involving): New.
2405 (impl_sm_context::get_state): Use NULL ctxt when querying old
2406 rvalue.
2407 (impl_sm_context::set_next_state): Use new sval when querying old
2408 state.
2409 (class dump_path_diagnostic): Move to region-model.cc
2410 (exploded_node::on_stmt): Move to on_stmt_pre and on_stmt_post.
2411 Remove call to purge_state_involving.
2412 (exploded_node::on_stmt_pre): New, based on the above. Move most
2413 of it to region_model::on_stmt_pre.
2414 (exploded_node::on_stmt_post): Likewise, moving to
2415 region_model::on_stmt_post.
2416 (class stale_jmp_buf): Fix parent class to use curiously recurring
2417 template pattern.
2418 (feasibility_state::maybe_update_for_edge): Call on_call_pre and
2419 on_call_post on gcalls.
2420 * exploded-graph.h (impl_region_model_context::warn): Return bool.
2421 (impl_region_model_context::purge_state_involving): New decl.
2422 (exploded_node::on_stmt_pre): New decl.
2423 (exploded_node::on_stmt_post): New decl.
2424 * pending-diagnostic.h (pending_diagnostic::use_of_uninit_p): New.
2425 (pending_diagnostic::supercedes_p): New.
2426 * program-state.cc (sm_state_map::get_state): Inherit state for
2427 conjured_svalue as well as initial_svalue.
2428 (sm_state_map::purge_state_involving): Also support SK_CONJURED.
2429 * region-model-impl-calls.cc (call_details::get_uncertainty):
2430 Handle m_ctxt being NULL.
2431 (call_details::get_or_create_conjured_svalue): New.
2432 (region_model::impl_call_fgets): New.
2433 (region_model::impl_call_fread): New.
2434 * region-model-manager.cc
2435 (region_model_manager::get_or_create_initial_value): Return an
2436 uninitialized poisoned value for regions that can't have initial
2437 values.
2438 * region-model-reachability.cc
2439 (reachable_regions::mark_escaped_clusters): Handle ctxt being
2440 NULL.
2441 * region-model.cc (region_to_value_map::purge_state_involving): New.
2442 (poisoned_value_diagnostic::use_of_uninit_p): New.
2443 (poisoned_value_diagnostic::emit): Handle POISON_KIND_UNINIT.
2444 (poisoned_value_diagnostic::describe_final_event): Likewise.
2445 (region_model::check_for_poison): New.
2446 (region_model::on_assignment): Call it.
2447 (class dump_path_diagnostic): Move here from engine.cc.
2448 (region_model::on_stmt_pre): New, based on exploded_node::on_stmt.
2449 (region_model::on_call_pre): Move the setting of the LHS to a
2450 conjured svalue to before the checks for specific functions.
2451 Handle "fgets", "fgets_unlocked", and "fread".
2452 (region_model::purge_state_involving): New.
2453 (region_model::handle_unrecognized_call): Handle ctxt being NULL.
2454 (region_model::get_rvalue): Call check_for_poison.
2455 (selftest::test_stack_frames): Use NULL for context when getting
2456 uninitialized rvalue.
2457 (selftest::test_alloca): Likewise.
2458 * region-model.h (region_to_value_map::purge_state_involving): New
2459 decl.
2460 (call_details::get_or_create_conjured_svalue): New decl.
2461 (region_model::on_stmt_pre): New decl.
2462 (region_model::purge_state_involving): New decl.
2463 (region_model::impl_call_fgets): New decl.
2464 (region_model::impl_call_fread): New decl.
2465 (region_model::check_for_poison): New decl.
2466 (region_model_context::warn): Return bool.
2467 (region_model_context::purge_state_involving): New.
2468 (noop_region_model_context::warn): Return bool.
2469 (noop_region_model_context::purge_state_involving): New.
2470 (test_region_model_context:: warn): Return bool.
2471 * region.cc (region::get_memory_space): New.
2472 (region::can_have_initial_svalue_p): New.
2473 (region::involves_p): New.
2474 * region.h (enum memory_space): New.
2475 (region::get_memory_space): New decl.
2476 (region::can_have_initial_svalue_p): New decl.
2477 (region::involves_p): New decl.
2478 * sm-malloc.cc (use_after_free::supercedes_p): New.
2479 * store.cc (binding_cluster::purge_state_involving): New.
2480 (store::purge_state_involving): New.
2481 * store.h (class symbolic_binding): New forward decl.
2482 (binding_key::dyn_cast_symbolic_binding): New.
2483 (symbolic_binding::dyn_cast_symbolic_binding): New.
2484 (binding_cluster::purge_state_involving): New.
2485 (store::purge_state_involving): New.
2486 * svalue.cc (svalue::can_merge_p): Reject attempts to merge
2487 poisoned svalues with other svalues, so that we identify
2488 paths in which a variable is conditionally uninitialized.
2489 (involvement_visitor::visit_conjured_svalue): New.
2490 (svalue::involves_p): Also handle SK_CONJURED.
2491 (poison_kind_to_str): Handle POISON_KIND_UNINIT.
2492 (poisoned_svalue::maybe_fold_bits_within): New.
2493 * svalue.h (enum poison_kind): Add POISON_KIND_UNINIT.
2494 (poisoned_svalue::maybe_fold_bits_within): New decl.
2495
24962021-07-15 David Malcolm <dmalcolm@redhat.com>
2497
2498 * analyzer.opt (fdump-analyzer-exploded-paths): New.
2499 * diagnostic-manager.cc
2500 (diagnostic_manager::emit_saved_diagnostic): Implement it.
2501 * engine.cc (exploded_path::dump_to_pp): Add ext_state param and
2502 use it to dump states if non-NULL.
2503 (exploded_path::dump): Likewise.
2504 (exploded_path::dump_to_file): New.
2505 * exploded-graph.h (exploded_path::dump_to_pp): Add ext_state
2506 param.
2507 (exploded_path::dump): Likewise.
2508 (exploded_path::dump): Likewise.
2509 (exploded_path::dump_to_file): New.
2510
25112021-07-15 David Malcolm <dmalcolm@redhat.com>
2512
2513 * analyzer.cc (fixup_tree_for_diagnostic_1): Use DECL_DEBUG_EXPR
2514 if it's available.
2515 * engine.cc (readability): Likewise.
2516
25172021-07-15 David Malcolm <dmalcolm@redhat.com>
2518
2519 * state-purge.cc (self_referential_phi_p): New.
2520 (state_purge_per_ssa_name::process_point): Don't purge an SSA name
2521 at its def-stmt if the def-stmt is self-referential.
2522
c24a9707
GA		 25232021-07-07 David Malcolm <dmalcolm@redhat.com>
2524
2525 * diagnostic-manager.cc (null_assignment_sm_context::get_state):
2526 New overload.
2527 (null_assignment_sm_context::set_next_state): New overload.
2528 (null_assignment_sm_context::get_diagnostic_tree): New.
2529 * engine.cc (impl_sm_context::get_state): New overload.
2530 (impl_sm_context::set_next_state): New overload.
2531 (impl_sm_context::get_diagnostic_tree): New overload.
2532 (impl_region_model_context::on_condition): Convert params from
2533 tree to const svalue *.
2534 * exploded-graph.h (impl_region_model_context::on_condition):
2535 Likewise.
2536 * region-model.cc (region_model::on_call_pre): Move handling of
2537 internal calls to before checking for get_fndecl_for_call.
2538 (region_model::add_constraints_from_binop): New.
2539 (region_model::add_constraint): Split out into a new overload
2540 working on const svalue * rather than tree. Call
2541 add_constraints_from_binop. Drop call to
2542 add_any_constraints_from_ssa_def_stmt.
2543 (region_model::add_any_constraints_from_ssa_def_stmt): Delete.
2544 (region_model::add_any_constraints_from_gassign): Delete.
2545 (region_model::add_any_constraints_from_gcall): Delete.
2546 * region-model.h
2547 (region_model::add_any_constraints_from_ssa_def_stmt): Delete.
2548 (region_model::add_any_constraints_from_gassign): Delete.
2549 (region_model::add_any_constraints_from_gcall): Delete.
2550 (region_model::add_constraint): Add overload decl.
2551 (region_model::add_constraints_from_binop): New decl.
2552 (region_model_context::on_condition): Convert params from tree to
2553 const svalue *.
2554 (noop_region_model_context::on_condition): Likewise.
2555 * sm-file.cc (fileptr_state_machine::condition): Likewise.
2556 * sm-malloc.cc (malloc_state_machine::on_condition): Likewise.
2557 * sm-pattern-test.cc: Include tristate.h, selftest.h,
2558 analyzer/call-string.h, analyzer/program-point.h,
2559 analyzer/store.h, and analyzer/region-model.h.
2560 (pattern_test_state_machine::on_condition): Convert params from tree to
2561 const svalue *.
2562 * sm-sensitive.cc (sensitive_state_machine::on_condition): Delete.
2563 * sm-signal.cc (signal_state_machine::on_condition): Delete.
2564 * sm-taint.cc (taint_state_machine::on_condition): Convert params
2565 from tree to const svalue *.
2566 * sm.cc: Include tristate.h, selftest.h, analyzer/call-string.h,
2567 analyzer/program-point.h, analyzer/store.h, and
2568 analyzer/region-model.h.
2569 (any_pointer_p): Add overload taking const svalue *sval.
2570 * sm.h (any_pointer_p): Add overload taking const svalue *sval.
2571 (state_machine::on_condition): Convert params from tree to
2572 const svalue *. Provide no-op default implementation.
2573 (sm_context::get_state): Add overload taking const svalue *sval.
2574 (sm_context::set_next_state): Likewise.
2575 (sm_context::on_transition): Likewise.
2576 (sm_context::get_diagnostic_tree): Likewise.
2577 * svalue.cc (svalue::all_zeroes_p): New.
2578 (constant_svalue::all_zeroes_p): New.
2579 (repeated_svalue::all_zeroes_p): Convert to vfunc.
2580 * svalue.h (svalue::all_zeroes_p): New decl.
2581 (constant_svalue::all_zeroes_p): New decl.
2582 (repeated_svalue::all_zeroes_p): Convert decl to vfunc.
2583
25b6bfea
GA		 25842021-06-30 David Malcolm <dmalcolm@redhat.com>
2585
2586 PR analyzer/95006
2587 * analyzer.h (class repeated_svalue): New forward decl.
2588 (class bits_within_svalue): New forward decl.
2589 (class sized_region): New forward decl.
2590 (get_field_at_bit_offset): New forward decl.
2591 * engine.cc (exploded_graph::get_or_create_node): Validate the
2592 merged state.
2593 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
2594 Validate the states at each stage.
2595 * program-state.cc (program_state::validate): Validate
2596 m_region_model.
2597 * region-model-impl-calls.cc (region_model::impl_call_memset):
2598 Replace special-case logic for handling constant sizes with
2599 a call to fill_region of a sized_region with the given fill value.
2600 * region-model-manager.cc (maybe_undo_optimize_bit_field_compare):
2601 Drop DK_direct.
2602 (region_model_manager::maybe_fold_sub_svalue): Fold element-based
2603 subregions of an initial value into initial values of an element.
2604 Fold subvalues of repeated svalues.
2605 (region_model_manager::maybe_fold_repeated_svalue): New.
2606 (region_model_manager::get_or_create_repeated_svalue): New.
2607 (get_bit_range_for_field): New.
2608 (get_byte_range_for_field): New.
2609 (get_field_at_byte_range): New.
2610 (region_model_manager::maybe_fold_bits_within_svalue): New.
2611 (region_model_manager::get_or_create_bits_within): New.
2612 (region_model_manager::get_sized_region): New.
2613 (region_model_manager::log_stats): Update for addition of
2614 m_repeated_values_map, m_bits_within_values_map, and
2615 m_sized_regions.
2616 * region-model.cc (region_model::validate): New.
2617 (region_model::on_assignment): Drop enum binding_kind.
2618 (region_model::get_initial_value_for_global): Likewise.
2619 (region_model::get_rvalue_for_bits): Replace body with call to
2620 get_or_create_bits_within.
2621 (region_model::get_capacity): Handle RK_SIZED.
2622 (region_model::set_value): Drop enum binding_kind.
2623 (region_model::fill_region): New.
2624 (region_model::get_representative_path_var_1): Handle RK_SIZED.
2625 * region-model.h (visitor::visit_repeated_svalue): New.
2626 (visitor::visit_bits_within_svalue): New.
2627 (region_model_manager::get_or_create_repeated_svalue): New decl.
2628 (region_model_manager::get_or_create_bits_within): New decl.
2629 (region_model_manager::get_sized_region): New decl.
2630 (region_model_manager::maybe_fold_repeated_svalue): New decl.
2631 (region_model_manager::maybe_fold_bits_within_svalue): New decl.
2632 (region_model_manager::repeated_values_map_t): New typedef.
2633 (region_model_manager::m_repeated_values_map): New field.
2634 (region_model_manager::bits_within_values_map_t): New typedef.
2635 (region_model_manager::m_bits_within_values_map): New field.
2636 (region_model_manager::m_sized_regions): New field.
2637 (region_model::fill_region): New decl.
2638 * region.cc (region::get_base_region): Handle RK_SIZED.
2639 (region::base_region_p): Likewise.
2640 (region::get_byte_size_sval): New.
2641 (get_field_at_bit_offset): Make non-static.
2642 (region::calc_offset): Move implementation of cases to
2643 get_relative_concrete_offset vfunc implementations. Handle
2644 RK_SIZED.
2645 (region::get_relative_concrete_offset): New.
2646 (decl_region::get_svalue_for_initializer): Drop enum binding_kind.
2647 (field_region::get_relative_concrete_offset): New, from
2648 region::calc_offset.
2649 (element_region::get_relative_concrete_offset): Likewise.
2650 (offset_region::get_relative_concrete_offset): Likewise.
2651 (sized_region::accept): New.
2652 (sized_region::dump_to_pp): New.
2653 (sized_region::get_byte_size): New.
2654 (sized_region::get_bit_size): New.
2655 * region.h (enum region_kind): Add RK_SIZED.
2656 (region::dyn_cast_sized_region): New.
2657 (region::get_byte_size): Make virtual.
2658 (region::get_bit_size): Likewise.
2659 (region::get_byte_size_sval): New decl.
2660 (region::get_relative_concrete_offset): New decl.
2661 (field_region::get_relative_concrete_offset): New decl.
2662 (element_region::get_relative_concrete_offset): Likewise.
2663 (offset_region::get_relative_concrete_offset): Likewise.
2664 (class sized_region): New.
2665 * store.cc (binding_kind_to_string): Delete.
2666 (binding_key::make): Drop enum binding_kind.
2667 (binding_key::dump_to_pp): Delete.
2668 (binding_key::cmp_ptrs): Drop enum binding_kind.
2669 (bit_range::contains_p): New.
2670 (byte_range::dump): New.
2671 (byte_range::contains_p): New.
2672 (byte_range::cmp): New.
2673 (concrete_binding::dump_to_pp): Drop enum binding_kind.
2674 (concrete_binding::cmp_ptr_ptr): Likewise.
2675 (symbolic_binding::dump_to_pp): Likewise.
2676 (symbolic_binding::cmp_ptr_ptr): Likewise.
2677 (binding_map::apply_ctor_val_to_range): Likewise.
2678 (binding_map::apply_ctor_pair_to_child_region): Likewise.
2679 (binding_map::get_overlapping_bindings): New.
2680 (binding_map::remove_overlapping_bindings): New.
2681 (binding_cluster::validate): New.
2682 (binding_cluster::bind): Drop enum binding_kind.
2683 (binding_cluster::bind_compound_sval): Likewise.
2684 (binding_cluster::purge_region): Likewise.
2685 (binding_cluster::zero_fill_region): Reimplement in terms of...
2686 (binding_cluster::fill_region): New.
2687 (binding_cluster::mark_region_as_unknown): Drop enum binding_kind.
2688 (binding_cluster::get_binding): Likewise.
2689 (binding_cluster::get_binding_recursive): Likewise.
2690 (binding_cluster::get_any_binding): Likewise.
2691 (binding_cluster::maybe_get_compound_binding): Reimplement.
2692 (binding_cluster::get_overlapping_bindings): Delete.
2693 (binding_cluster::remove_overlapping_bindings): Reimplement in
2694 terms of binding_map::remove_overlapping_bindings.
2695 (binding_cluster::can_merge_p): Update for removal of
2696 enum binding_kind.
2697 (binding_cluster::on_unknown_fncall): Drop enum binding_kind.
2698 (binding_cluster::maybe_get_simple_value): Likewise.
2699 (store_manager::get_concrete_binding): Likewise.
2700 (store_manager::get_symbolic_binding): Likewise.
2701 (store::validate): New.
2702 (store::set_value): Drop enum binding_kind.
2703 (store::zero_fill_region): Reimplement in terms of...
2704 (store::fill_region): New.
2705 (selftest::test_binding_key_overlap): Drop enum binding_kind.
2706 * store.h (enum binding_kind): Delete.
2707 (binding_kind_to_string): Delete decl.
2708 (binding_key::make): Drop enum binding_kind.
2709 (binding_key::dump_to_pp): Make pure virtual.
2710 (binding_key::get_kind): Delete.
2711 (binding_key::mark_deleted): Delete.
2712 (binding_key::mark_empty): Delete.
2713 (binding_key::is_deleted): Delete.
2714 (binding_key::is_empty): Delete.
2715 (binding_key::binding_key): Delete.
2716 (binding_key::impl_hash): Delete.
2717 (binding_key::impl_eq): Delete.
2718 (binding_key::m_kind): Delete.
2719 (bit_range::get_last_bit_offset): New.
2720 (bit_range::contains_p): New.
2721 (byte_range::contains_p): New.
2722 (byte_range::operator==): New.
2723 (byte_range::get_start_byte_offset): New.
2724 (byte_range::get_next_byte_offset): New.
2725 (byte_range::get_last_byte_offset): New.
2726 (byte_range::as_bit_range): New.
2727 (byte_range::cmp): New.
2728 (concrete_binding::concrete_binding): Drop enum binding_kind.
2729 (concrete_binding::hash): Likewise.
2730 (concrete_binding::operator==): Likewise.
2731 (concrete_binding::mark_deleted): New.
2732 (concrete_binding::mark_empty): New.
2733 (concrete_binding::is_deleted): New.
2734 (concrete_binding::is_empty): New.
2735 (default_hash_traits<ana::concrete_binding>::empty_zero_p): Make false.
2736 (symbolic_binding::symbolic_binding): Drop enum binding_kind.
2737 (symbolic_binding::hash): Likewise.
2738 (symbolic_binding::operator==): Likewise.
2739 (symbolic_binding::mark_deleted): New.
2740 (symbolic_binding::mark_empty): New.
2741 (symbolic_binding::is_deleted): New.
2742 (symbolic_binding::is_empty): New.
2743 (binding_map::remove_overlapping_bindings): New decl.
2744 (binding_map::get_overlapping_bindings): New decl.
2745 (binding_cluster::validate): New decl.
2746 (binding_cluster::bind): Drop enum binding_kind.
2747 (binding_cluster::fill_region): New decl.
2748 (binding_cluster::get_binding): Drop enum binding_kind.
2749 (binding_cluster::get_binding_recursive): Likewise.
2750 (binding_cluster::get_overlapping_bindings): Delete.
2751 (store::validate): New decl.
2752 (store::set_value): Drop enum binding_kind.
2753 (store::fill_region): New decl.
2754 (store_manager::get_concrete_binding): Drop enum binding_kind.
2755 (store_manager::get_symbolic_binding): Likewise.
2756 * svalue.cc (svalue::cmp_ptr): Handle SK_REPEATED and
2757 SK_BITS_WITHIN.
2758 (svalue::extract_bit_range): New.
2759 (svalue::maybe_fold_bits_within): New.
2760 (constant_svalue::maybe_fold_bits_within): New.
2761 (unknown_svalue::maybe_fold_bits_within): New.
2762 (unaryop_svalue::maybe_fold_bits_within): New.
2763 (repeated_svalue::repeated_svalue): New.
2764 (repeated_svalue::dump_to_pp): New.
2765 (repeated_svalue::accept): New.
2766 (repeated_svalue::all_zeroes_p): New.
2767 (repeated_svalue::maybe_fold_bits_within): New.
2768 (bits_within_svalue::bits_within_svalue): New.
2769 (bits_within_svalue::dump_to_pp): New.
2770 (bits_within_svalue::maybe_fold_bits_within): New.
2771 (bits_within_svalue::accept): New.
2772 (bits_within_svalue::implicitly_live_p): New.
2773 (compound_svalue::maybe_fold_bits_within): New.
2774 * svalue.h (enum svalue_kind): Add SK_REPEATED and SK_BITS_WITHIN.
2775 (svalue::dyn_cast_repeated_svalue): New.
2776 (svalue::dyn_cast_bits_within_svalue): New.
2777 (svalue::extract_bit_range): New decl.
2778 (svalue::maybe_fold_bits_within): New vfunc decl.
2779 (region_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
2780 (region_svalue::key_t::is_empty): Likewise.
2781 (default_hash_traits<region_svalue::key_t>::empty_zero_p): Make false.
2782 (constant_svalue::maybe_fold_bits_within): New.
2783 (unknown_svalue::maybe_fold_bits_within): New.
2784 (poisoned_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
2785 (poisoned_svalue::key_t::is_empty): Likewise.
2786 (default_hash_traits<poisoned_svalue::key_t>::empty_zero_p): Make
2787 false.
2788 (setjmp_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
2789 (setjmp_svalue::key_t::is_empty): Likewise.
2790 (default_hash_traits<setjmp_svalue::key_t>::empty_zero_p): Make
2791 false.
2792 (unaryop_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
2793 (unaryop_svalue::key_t::is_empty): Likewise.
2794 (unaryop_svalue::maybe_fold_bits_within): New.
2795 (default_hash_traits<unaryop_svalue::key_t>::empty_zero_p): Make
2796 false.
2797 (binop_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
2798 (binop_svalue::key_t::is_empty): Likewise.
2799 (default_hash_traits<binop_svalue::key_t>::empty_zero_p): Make
2800 false.
2801 (sub_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
2802 (sub_svalue::key_t::is_empty): Likewise.
2803 (default_hash_traits<sub_svalue::key_t>::empty_zero_p): Make
2804 false.
2805 (class repeated_svalue): New.
2806 (is_a_helper <const repeated_svalue *>::test): New.
2807 (struct default_hash_traits<repeated_svalue::key_t>): New.
2808 (class bits_within_svalue): New.
2809 (is_a_helper <const bits_within_svalue *>::test): New.
2810 (struct default_hash_traits<bits_within_svalue::key_t>): New.
2811 (widening_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
2812 (widening_svalue::key_t::is_empty): Likewise.
2813 (default_hash_traits<widening_svalue::key_t>::empty_zero_p): Make
2814 false.
2815 (compound_svalue::key_t::mark_empty): Use 2 rather than NULL_TREE.
2816 (compound_svalue::key_t::is_empty): Likewise.
2817 (compound_svalue::maybe_fold_bits_within): New.
2818 (default_hash_traits<compound_svalue::key_t>::empty_zero_p): Make
2819 false.
2820
c8abc205
GA		 28212021-06-28 David Malcolm <dmalcolm@redhat.com>
2822
2823 * analyzer.h (byte_offset_t): New typedef.
2824 * store.cc (bit_range::dump_to_pp): Dump as a byte range if
2825 possible.
2826 (bit_range::as_byte_range): New.
2827 (byte_range::dump_to_pp): New.
2828 * store.h (class byte_range): New forward decl.
2829 (struct bit_range): Add comment.
2830 (bit_range::as_byte_range): New decl.
2831 (struct byte_range): New.
2832
419af06a
GA		 28332021-06-22 David Malcolm <dmalcolm@redhat.com>
2834
2835 PR analyzer/101143
2836 * region-model.cc (compat_types_p): New function.
2837 (region_model::create_region_for_heap_alloc): Convert assertion to
2838 an error check.
2839 (region_model::create_region_for_alloca): Likewise.
2840
c5581d48
GA		 28412021-06-18 David Malcolm <dmalcolm@redhat.com>
2842
2843 * store.cc (binding_cluster::get_any_binding): Make symbolic reads
2844 from a cluster with concrete bindings return unknown.
2845
28462021-06-18 David Malcolm <dmalcolm@redhat.com>
2847
2848 * region-model-manager.cc
2849 (region_model_manager::get_or_create_int_cst): New.
2850 (region_model_manager::maybe_undo_optimize_bit_field_compare): Use
2851 it to simplify away a local tree.
2852 * region-model.cc (region_model::on_setjmp): Likewise.
2853 (region_model::on_longjmp): Likewise.
2854 * region-model.h (region_model_manager::get_or_create_int_cst):
2855 New decl.
2856 * store.cc (binding_cluster::zero_fill_region): Use it to simplify
2857 away a local tree.
2858
28592021-06-18 David Malcolm <dmalcolm@redhat.com>
2860
2861 * checker-path.cc (class custom_event): Make abstract to allow for
2862 custom vfuncs, splitting existing implementation into...
2863 (class precanned_custom_event): New subclass.
2864 (custom_event::get_desc): Move to...
2865 (precanned_custom_event::get_desc): ...subclass.
2866 * checker-path.h (class custom_event): Make abstract to allow for
2867 custom vfuncs, splitting existing implementation into...
2868 (class precanned_custom_event): New subclass.
2869 * diagnostic-manager.cc (diagnostic_manager::add_events_for_eedge):
2870 Use precanned_custom_event.
2871 * engine.cc
2872 (stale_jmp_buf::maybe_add_custom_events_for_superedge): Likewise.
2873 * sm-signal.cc (signal_delivery_edge_info_t::add_events_to_path):
2874 Likewise.
2875
ede6c356
GA		 28762021-06-15 David Malcolm <dmalcolm@redhat.com>
2877
2878 PR analyzer/99212
2879 PR analyzer/101082
2880 * engine.cc: Include "target.h".
2881 (impl_run_checkers): Log BITS_BIG_ENDIAN, BYTES_BIG_ENDIAN, and
2882 WORDS_BIG_ENDIAN.
2883 * region-model-manager.cc
2884 (region_model_manager::maybe_fold_binop): Move support for masking
2885 via ARG0 & CST into...
2886 (region_model_manager::maybe_undo_optimize_bit_field_compare):
2887 ...this new function. Flatten by converting from nested
2888 conditionals to a series of early return statements to reject
2889 failures. Reject if type is not unsigned_char_type_node.
2890 Handle BYTES_BIG_ENDIAN when determining which bits are bound
2891 in the binding_map.
2892 * region-model.h
2893 (region_model_manager::maybe_undo_optimize_bit_field_compare):
2894 New decl.
2895 * store.cc (bit_range::dump): New function.
2896 * store.h (bit_range::dump): New decl.
2897
28982021-06-15 David Malcolm <dmalcolm@redhat.com>
2899
2900 * engine.cc (exploded_node::on_stmt): Handle __analyzer_dump_capacity.
2901 (exploded_node::on_stmt): Drop m_sm_changes from on_stmt_flags.
2902 (state_change_requires_new_enode_p): New function...
2903 (exploded_graph::process_node): Call it, rather than querying
2904 flags.m_sm_changes, so that dynamic-extent differences can also
2905 trigger the splitting of nodes.
2906 * exploded-graph.h (struct on_stmt_flags): Drop field m_sm_changes.
2907 * program-state.cc (program_state::detect_leaks): Purge dead
2908 heap-allocated regions from dynamic extents.
2909 (selftest::test_program_state_1): Fix type of "size_in_bytes".
2910 (selftest::test_program_state_merging): Likewise.
2911 * region-model-impl-calls.cc
2912 (region_model::impl_call_analyzer_dump_capacity): New.
2913 (region_model::impl_call_free): Remove dynamic extents from the
2914 freed region.
2915 * region-model-reachability.h
2916 (reachable_regions::begin_mutable_base_regs): New.
2917 (reachable_regions::end_mutable_base_regs): New.
2918 * region-model.cc: Include "tree-object-size.h".
2919 (region_model::region_model): Support new field m_dynamic_extents.
2920 (region_model::operator=): Likewise.
2921 (region_model::operator==): Likewise.
2922 (region_model::dump_to_pp): Dump sizes of dynamic regions.
2923 (region_model::handle_unrecognized_call): Purge dynamic extents
2924 from any regions that have escaped mutably:.
2925 (region_model::get_capacity): New function.
2926 (region_model::add_constraint): Unset dynamic extents when a
2927 heap-allocated region's address is NULL.
2928 (region_model::unbind_region_and_descendents): Purge dynamic
2929 extents of unbound regions.
2930 (region_model::can_merge_with_p): Call
2931 m_dynamic_extents.can_merge_with_p.
2932 (region_model::create_region_for_heap_alloc): Assert that
2933 size_in_bytes's type is compatible with size_type_node. Update
2934 for renaming of record_dynamic_extents to set_dynamic_extents.
2935 (region_model::create_region_for_alloca): Likewise.
2936 (region_model::record_dynamic_extents): Rename to...
2937 (region_model::set_dynamic_extents): ...this. Assert that
2938 size_in_bytes's type is compatible with size_type_node. Add it
2939 to the m_dynamic_extents map.
2940 (region_model::get_dynamic_extents): New.
2941 (region_model::unset_dynamic_extents): New.
2942 (selftest::test_state_merging): Fix type of "size".
2943 (selftest::test_malloc_constraints): Likewise.
2944 (selftest::test_malloc): Verify dynamic extents.
2945 (selftest::test_alloca): Likewise.
2946 * region-model.h (region_to_value_map::is_empty): New.
2947 (region_model::dynamic_extents_t): New typedef.
2948 (region_model::impl_call_analyzer_dump_capacity): New decl.
2949 (region_model::get_dynamic_extents): New function.
2950 (region_model::get_dynamic_extents): New decl.
2951 (region_model::set_dynamic_extents): New decl.
2952 (region_model::unset_dynamic_extents): New decl.
2953 (region_model::get_capacity): New decl.
2954 (region_model::record_dynamic_extents): Rename to set_dynamic_extents.
2955 (region_model::m_dynamic_extents): New field.
2956
29572021-06-15 David Malcolm <dmalcolm@redhat.com>
2958
2959 * region-model.cc (region_to_value_map::operator=): New.
2960 (region_to_value_map::operator==): New.
2961 (region_to_value_map::dump_to_pp): New.
2962 (region_to_value_map::dump): New.
2963 (region_to_value_map::can_merge_with_p): New.
2964 * region-model.h (class region_to_value_map): New class.
2965
4e70c34e
GA		 29662021-06-13 Trevor Saunders <tbsaunde@tbsaunde.org>
2967
2968 * call-string.cc (call_string::call_string): Use range based for
2969 to iterate over vec<>.
2970 (call_string::to_json): Likewise.
2971 (call_string::hash): Likewise.
2972 (call_string::calc_recursion_depth): Likewise.
2973 * checker-path.cc (checker_path::fixup_locations): Likewise.
2974 * constraint-manager.cc (equiv_class::equiv_class): Likewise.
2975 (equiv_class::to_json): Likewise.
2976 (equiv_class::hash): Likewise.
2977 (constraint_manager::to_json): Likewise.
2978 * engine.cc (impl_region_model_context::on_svalue_leak):
2979 Likewise.
2980 (on_liveness_change): Likewise.
2981 (impl_region_model_context::on_unknown_change): Likewise.
2982 * program-state.cc (sm_state_map::set_state): Likewise.
2983 * region-model.cc (test_canonicalization_4): Likewise.
2984
f16f65f8
GA		 29852021-06-11 David Malcolm <dmalcolm@redhat.com>
2986
2987 * engine.cc (worklist::key_t::cmp): Move sort by call_string to
2988 before SCC.
2989
4f625f47
GA		 29902021-06-09 David Malcolm <dmalcolm@redhat.com>
2991
2992 * region-model.cc (region_model::get_lvalue_1): Make const.
2993 (region_model::get_lvalue): Likewise.
2994 (region_model::get_rvalue_1): Likewise.
2995 (region_model::get_rvalue): Likewise.
2996 (region_model::deref_rvalue): Likewise.
2997 (region_model::get_rvalue_for_bits): Likewise.
2998 * region-model.h (region_model::get_lvalue): Likewise.
2999 (region_model::get_rvalue): Likewise.
3000 (region_model::deref_rvalue): Likewise.
3001 (region_model::get_rvalue_for_bits): Likewise.
3002 (region_model::get_lvalue_1): Likewise.
3003 (region_model::get_rvalue_1): Likewise.
3004
c6038721
GA		 30052021-06-08 David Malcolm <dmalcolm@redhat.com>
3006
3007 PR analyzer/99212
3008 * region-model-manager.cc
3009 (region_model_manager::maybe_fold_binop): Add support for folding
3010 BIT_AND_EXPR of compound_svalue and a mask constant.
3011 * region-model.cc (region_model::get_rvalue_1): Implement
3012 BIT_FIELD_REF in terms of...
3013 (region_model::get_rvalue_for_bits): New function.
3014 * region-model.h (region_model::get_rvalue_for_bits): New decl.
3015 * store.cc (bit_range::from_mask): New function.
3016 (selftest::test_bit_range_intersects_p): New selftest.
3017 (selftest::assert_bit_range_from_mask_eq): New.
3018 (ASSERT_BIT_RANGE_FROM_MASK_EQ): New macro.
3019 (selftest::assert_no_bit_range_from_mask_eq): New.
3020 (ASSERT_NO_BIT_RANGE_FROM_MASK): New macro.
3021 (selftest::test_bit_range_from_mask): New selftest.
3022 (selftest::analyzer_store_cc_tests): Call the new selftests.
3023 * store.h (bit_range::intersects_p): New.
3024 (bit_range::from_mask): New decl.
3025 (concrete_binding::get_bit_range): New accessor.
3026 (store_manager::get_concrete_binding): New overload taking
3027 const bit_range &.
3028
30292021-06-08 David Malcolm <dmalcolm@redhat.com>
3030
3031 * analyzer.h (int_size_in_bits): New decl.
3032 * region.cc (int_size_in_bits): New function.
3033 (region::get_bit_size): Reimplement in terms of the above.
3034
30352021-06-08 David Malcolm <dmalcolm@redhat.com>
3036
3037 * store.cc (concrete_binding::dump_to_pp): Move bulk of
3038 implementation to...
3039 (bit_range::dump_to_pp): ...this new function.
3040 (bit_range::cmp): New.
3041 (concrete_binding::overlaps_p): Update for use of bit_range.
3042 (concrete_binding::cmp_ptr_ptr): Likewise.
3043 * store.h (struct bit_range): New.
3044 (class concrete_binding): Replace fields m_start_bit_offset and
3045 m_size_in_bits with new field m_bit_range.
3046
30472021-06-08 David Malcolm <dmalcolm@redhat.com>
3048
3049 * svalue.h (conjured_svalue::iterator_t): Delete.
3050
440c8a0a
GA		 30512021-06-03 David Malcolm <dmalcolm@redhat.com>
3052
3053 * store.h (store::get_direct_binding): Remove unused decl.
3054 (store::get_default_binding): Likewise.
3055
30562021-06-03 David Malcolm <dmalcolm@redhat.com>
3057
3058 * svalue.cc (poisoned_svalue::dump_to_pp): Dump type.
3059 (compound_svalue::dump_to_pp): Dump any type.
3060
a8daf9a1
GA		 30612021-05-18 David Malcolm <dmalcolm@redhat.com>
3062
3063 PR analyzer/100615
3064 * sm-malloc.cc: Include "analyzer/function-set.h".
3065 (malloc_state_machine::on_stmt): Call unaffected_by_call_p and
3066 bail on the functions it recognizes.
3067 (malloc_state_machine::unaffected_by_call_p): New.
3068
aa891c56
GA		 30692021-05-10 Martin Liska <mliska@suse.cz>
3070
3071 * sm-file.cc (is_file_using_fn_p): Use startswith
3072 function instead of strncmp.
3073
30742021-05-10 Martin Liska <mliska@suse.cz>
3075
3076 * program-state.cc (program_state::operator=): Remove
3077 __cplusplus >= 201103.
3078 (program_state::program_state): Likewise.
3079 * program-state.h: Likewise.
3080 * region-model.h (class region_model): Remove dead code.
3081
502ef97c
GA		 30822021-04-24 David Malcolm <dmalcolm@redhat.com>
3083
3084 PR analyzer/100244
3085 * sm-malloc.cc (free_of_non_heap::describe_state_change):
3086 Bulletproof against change.m_expr being NULL.
3087
6d0d35d5
GA		 30882021-04-13 David Malcolm <dmalcolm@redhat.com>
3089
3090 PR analyzer/98599
3091 * supergraph.cc (saved_uids::make_uid_unique): New.
3092 (saved_uids::restore_uids): New.
3093 (supergraph::supergraph): Replace assignments to stmt->uid with
3094 calls to m_stmt_uids.make_uid_unique.
3095 (supergraph::~supergraph): New.
3096 * supergraph.h (class saved_uids): New.
3097 (supergraph::~supergraph): New decl.
3098 (supergraph::m_stmt_uids): New field.
3099
1d54b138
GA		 31002021-04-10 David Malcolm <dmalcolm@redhat.com>
3101
3102 PR analyzer/100011
3103 * region-model.cc (region_model::on_assignment): Avoid NULL
3104 dereference if ctxt is NULL when assigning from a STRING_CST.
3105
019a9220
GA		 31062021-04-08 David Malcolm <dmalcolm@redhat.com>
3107
3108 PR analyzer/99042
3109 PR analyzer/99774
3110 * engine.cc
3111 (impl_region_model_context::impl_region_model_context): Add
3112 uncertainty param and use it to initialize m_uncertainty.
3113 (impl_region_model_context::get_uncertainty): New.
3114 (impl_sm_context::get_fndecl_for_call): Add NULL for new
3115 uncertainty param when constructing impl_region_model_context.
3116 (impl_sm_context::get_state): Likewise.
3117 (impl_sm_context::set_next_state): Likewise.
3118 (impl_sm_context::warn): Likewise.
3119 (exploded_node::on_stmt): Add uncertainty param
3120 and use it when constructing impl_region_model_context.
3121 (exploded_node::on_edge): Add uncertainty param and pass
3122 to on_edge call.
3123 (exploded_node::detect_leaks): Create uncertainty_t and pass to
3124 impl_region_model_context.
3125 (exploded_graph::get_or_create_node): Create uncertainty_t and
3126 pass to prune_for_point.
3127 (maybe_process_run_of_before_supernode_enodes): Create
3128 uncertainty_t and pass to impl_region_model_context.
3129 (exploded_graph::process_node): Create uncertainty_t instances and
3130 pass around as needed.
3131 * exploded-graph.h
3132 (impl_region_model_context::impl_region_model_context): Add
3133 uncertainty param.
3134 (impl_region_model_context::get_uncertainty): New decl.
3135 (impl_region_model_context::m_uncertainty): New field.
3136 (exploded_node::on_stmt): Add uncertainty param.
3137 (exploded_node::on_edge): Likewise.
3138 * program-state.cc (sm_state_map::on_liveness_change): Get
3139 uncertainty from context and use it to unset sm-state from
3140 svalues as appropriate.
3141 (program_state::on_edge): Add uncertainty param and use it when
3142 constructing impl_region_model_context. Fix indentation.
3143 (program_state::prune_for_point): Add uncertainty param and use it
3144 when constructing impl_region_model_context.
3145 (program_state::detect_leaks): Get any uncertainty from ctxt and
3146 use it to get maybe-live svalues for dest_state, rather than
3147 definitely-live ones; use this when determining which svalues
3148 have leaked.
3149 (selftest::test_program_state_merging): Create uncertainty_t and
3150 pass to impl_region_model_context.
3151 * program-state.h (program_state::on_edge): Add uncertainty param.
3152 (program_state::prune_for_point): Likewise.
3153 * region-model-impl-calls.cc (call_details::get_uncertainty): New.
3154 (region_model::impl_call_memcpy): Pass uncertainty to
3155 mark_region_as_unknown call.
3156 (region_model::impl_call_memset): Likewise.
3157 (region_model::impl_call_strcpy): Likewise.
3158 * region-model-reachability.cc (reachable_regions::handle_sval):
3159 Also add sval to m_mutable_svals.
3160 * region-model.cc (region_model::on_assignment): Pass any
3161 uncertainty from ctxt to the store::set_value call.
3162 (region_model::handle_unrecognized_call): Get any uncertainty from
3163 ctxt and use it to record mutable svalues at the unknown call.
3164 (region_model::get_reachable_svalues): Add uncertainty param and
3165 use it to mark any maybe-bound svalues as being reachable.
3166 (region_model::set_value): Pass any uncertainty from ctxt to the
3167 store::set_value call.
3168 (region_model::mark_region_as_unknown): Add uncertainty param and
3169 pass it on to the store::mark_region_as_unknown call.
3170 (region_model::update_for_call_summary): Add uncertainty param and
3171 pass it on to the region_model::mark_region_as_unknown call.
3172 * region-model.h (call_details::get_uncertainty): New decl.
3173 (region_model::get_reachable_svalues): Add uncertainty param.
3174 (region_model::mark_region_as_unknown): Add uncertainty param.
3175 (region_model_context::get_uncertainty): New vfunc.
3176 (noop_region_model_context::get_uncertainty): New vfunc
3177 implementation.
3178 * store.cc (dump_svalue_set): New.
3179 (uncertainty_t::dump_to_pp): New.
3180 (uncertainty_t::dump): New.
3181 (binding_cluster::clobber_region): Pass NULL for uncertainty to
3182 remove_overlapping_bindings.
3183 (binding_cluster::mark_region_as_unknown): Add uncertainty param
3184 and pass it to remove_overlapping_bindings.
3185 (binding_cluster::remove_overlapping_bindings): Add uncertainty param.
3186 Use it to record any svalues that were in clobbered bindings.
3187 (store::set_value): Add uncertainty param. Pass it to
3188 binding_cluster::mark_region_as_unknown when handling symbolic
3189 regions.
3190 (store::mark_region_as_unknown): Add uncertainty param and pass it
3191 to binding_cluster::mark_region_as_unknown.
3192 (store::remove_overlapping_bindings): Add uncertainty param and
3193 pass it to binding_cluster::remove_overlapping_bindings.
3194 * store.h (binding_cluster::mark_region_as_unknown): Add
3195 uncertainty param.
3196 (binding_cluster::remove_overlapping_bindings): Likewise.
3197 (store::set_value): Likewise.
3198 (store::mark_region_as_unknown): Likewise.
3199
b1da9916
GA		 32002021-04-05 David Malcolm <dmalcolm@redhat.com>
3201
3202 PR analyzer/99906
3203 * analyzer.cc (maybe_reconstruct_from_def_stmt): Fix NULL
3204 dereference on calls with zero arguments.
3205 * sm-malloc.cc (malloc_state_machine::on_stmt): When handling
3206 __attribute__((nonnull)), only call get_diagnostic_tree if the
3207 result will be used.
3208
32092021-04-05 David Malcolm <dmalcolm@redhat.com>
3210
3211 PR analyzer/99886
3212 * diagnostic-manager.cc
3213 (diagnostic_manager::prune_interproc_events): Use signed integers
3214 when subtracting one from path->num_events ().
3215 (diagnostic_manager::consolidate_conditions): Likewise. Convert
3216 next_idx to a signed int.
3217
f1607029
GA		 32182021-04-01 David Malcolm <dmalcolm@redhat.com>
3219
3220 * diagnostic-manager.cc (diagnostic_manager::add_diagnostic): Make
3221 enode param non-constant, and call add_diagnostic on it. Add
3222 enode index to log message.
3223 (diagnostic_manager::add_diagnostic): Make enode param
3224 non-constant.
3225 * diagnostic-manager.h (diagnostic_manager::add_diagnostic):
3226 Likewise for both decls.
3227 * engine.cc
3228 (impl_region_model_context::impl_region_model_context): Likewise
3229 for enode_for_diag.
3230 (impl_sm_context::impl_sm_context): Likewise.
3231 (impl_sm_context::m_enode_for_diag): Likewise.
3232 (exploded_node::dump_dot): Don't pass the diagnostic manager
3233 to dump_saved_diagnostics.
3234 (exploded_node::dump_saved_diagnostics): Drop param. Iterate
3235 directly through all saved diagnostics for the enode, rather
3236 than all saved diagnostics in the diagnostic_manager and
3237 filtering.
3238 (exploded_node::on_stmt): Make non-const.
3239 (exploded_node::on_edge): Likewise.
3240 (exploded_node::on_longjmp): Likewise.
3241 (exploded_node::detect_leaks): Likewise.
3242 (exploded_graph::get_or_create_node): Make enode_for_diag param
3243 non-const.
3244 (exploded_graph_annotator::print_enode): Iterate
3245 directly through all saved diagnostics for the enode, rather
3246 than all saved diagnostics in the diagnostic_manager and
3247 filtering.
3248 * exploded-graph.h
3249 (impl_region_model_context::impl_region_model_context): Make
3250 enode_for_diag param non-constant.
3251 (impl_region_model_context::m_enode_for_diag): Likewise.
3252 (exploded_node::dump_saved_diagnostics): Drop param.
3253 (exploded_node::on_stmt): Make non-const.
3254 (exploded_node::on_edge): Likewise.
3255 (exploded_node::on_longjmp): Likewise.
3256 (exploded_node::detect_leaks): Likewise.
3257 (exploded_node::add_diagnostic): New.
3258 (exploded_node::get_num_diagnostics): New.
3259 (exploded_node::get_saved_diagnostic): New.
3260 (exploded_node::m_saved_diagnostics): New.
3261 (exploded_graph::get_or_create_node): Make enode_for_diag param
3262 non-constant.
3263 * feasible-graph.cc (feasible_node::dump_dot): Drop
3264 diagnostic_manager from call to dump_saved_diagnostics.
3265 * program-state.cc (program_state::on_edge): Convert enode param
3266 to non-const pointer.
3267 (program_state::prune_for_point): Likewise for enode_for_diag
3268 param.
3269 * program-state.h (program_state::on_edge): Convert enode param
3270 to non-const pointer.
3271 (program_state::prune_for_point): Likewise for enode_for_diag
3272 param.
3273
95d217ab
GA		 32742021-03-31 David Malcolm <dmalcolm@redhat.com>
3275
3276 PR analyzer/99771
3277 * analyzer.cc (maybe_reconstruct_from_def_stmt): New.
3278 (fixup_tree_for_diagnostic_1): New.
3279 (fixup_tree_for_diagnostic): New.
3280 * analyzer.h (fixup_tree_for_diagnostic): New decl.
3281 * checker-path.cc (call_event::get_desc): Call
3282 fixup_tree_for_diagnostic and use it for the call_with_state call.
3283 (warning_event::get_desc): Likewise for the final_event and
3284 make_label_text calls.
3285 * engine.cc (impl_region_model_context::on_state_leak): Likewise
3286 for the on_leak and add_diagnostic calls.
3287 * region-model.cc (region_model::get_representative_tree):
3288 Likewise for the result.
3289
08d2edae
GA		 32902021-03-30 David Malcolm <dmalcolm@redhat.com>
3291
3292 * region.h (region::dump_to_pp): Remove old decl.
3293
32942021-03-30 David Malcolm <dmalcolm@redhat.com>
3295
3296 * sm-file.cc (fileptr_state_machine::on_stmt): Only call
3297 get_diagnostic_tree if the result will be used.
3298 * sm-malloc.cc (malloc_state_machine::on_stmt): Likewise.
3299 (malloc_state_machine::on_deallocator_call): Likewise.
3300 (malloc_state_machine::on_realloc_call): Likewise.
3301 (malloc_state_machine::on_realloc_call): Likewise.
3302 * sm-sensitive.cc
3303 (sensitive_state_machine::warn_for_any_exposure): Likewise.
3304 * sm-taint.cc (taint_state_machine::on_stmt): Likewise.
3305
4493b1c1
GA		 33062021-03-25 David Malcolm <dmalcolm@redhat.com>
3307
3308 PR analyzer/93695
3309 PR analyzer/99044
3310 PR analyzer/99716
3311 * engine.cc (exploded_node::on_stmt): Clear sm-state involving
3312 an SSA name at the def-stmt of that SSA name.
3313 * program-state.cc (sm_state_map::purge_state_involving): New.
3314 * program-state.h (sm_state_map::purge_state_involving): New decl.
3315 * region-model.cc (selftest::test_involves_p): New.
3316 (selftest::analyzer_region_model_cc_tests): Call it.
3317 * svalue.cc (class involvement_visitor): New class
3318 (svalue::involves_p): New.
3319 * svalue.h (svalue::involves_p): New decl.
3320
5f256a70
GA		 33212021-03-19 David Malcolm <dmalcolm@redhat.com>
3322
3323 PR analyzer/99614
3324 * diagnostic-manager.cc (class epath_finder): Add
3325 DISABLE_COPY_AND_ASSIGN.
3326
3c5b6d24
GA		 33272021-03-15 Martin Liska <mliska@suse.cz>
3328
3329 * sm-file.cc (get_file_using_fns): Add missing comma in initializer.
3330
48ff383f
GA		 33312021-03-11 David Malcolm <dmalcolm@redhat.com>
3332
3333 PR analyzer/96374
3334 * analyzer.opt (-param=analyzer-max-infeasible-edges=): New param.
3335 (fdump-analyzer-feasibility): New flag.
3336 * diagnostic-manager.cc: Include "analyzer/trimmed-graph.h" and
3337 "analyzer/feasible-graph.h".
3338 (epath_finder::epath_finder): Convert m_sep to a pointer and
3339 only create it if !flag_analyzer_feasibility.
3340 (epath_finder::~epath_finder): New.
3341 (epath_finder::m_sep): Convert to a pointer.
3342 (epath_finder::get_best_epath): Add param "diag_idx" and use it
3343 when logging. Rather than finding the shortest path and then
3344 checking feasibility, instead use explore_feasible_paths unless
3345 !flag_analyzer_feasibility, in which case simply use the shortest
3346 path, and note if it is infeasible. Update for m_sep becoming a
3347 pointer.
3348 (class feasible_worklist): New.
3349 (epath_finder::explore_feasible_paths): New.
3350 (epath_finder::process_worklist_item): New.
3351 (class dump_eg_with_shortest_path): New.
3352 (epath_finder::dump_trimmed_graph): New.
3353 (epath_finder::dump_feasible_graph): New.
3354 (saved_diagnostic::saved_diagnostic): Add "idx" param, using it
3355 on new field m_idx.
3356 (saved_diagnostic::to_json): Dump m_idx.
3357 (saved_diagnostic::calc_best_epath): Pass m_idx to get_best_epath.
3358 Remove assertion that m_problem was set when m_best_epath is NULL.
3359 (diagnostic_manager::add_diagnostic): Pass an index when created
3360 saved_diagnostic instances.
3361 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic): Add
3362 "idx" param.
3363 (saved_diagnostic::get_index): New accessor.
3364 (saved_diagnostic::m_idx): New field.
3365 * engine.cc (exploded_node::dump_dot): Call args.dump_extra_info.
3366 Move code to...
3367 (exploded_node::dump_processed_stmts): ...this new function and...
3368 (exploded_node::dump_saved_diagnostics): ...this new function.
3369 Add index of each diagnostic.
3370 (exploded_edge::dump_dot): Move bulk of code to...
3371 (exploded_edge::dump_dot_label): ...this new function.
3372 * exploded-graph.h (eg_traits::dump_args_t::dump_extra_info): New
3373 vfunc.
3374 (exploded_node::dump_processed_stmts): New decl.
3375 (exploded_node::dump_saved_diagnostics): New decl.
3376 (exploded_edge::dump_dot_label): New decl.
3377 * feasible-graph.cc: New file.
3378 * feasible-graph.h: New file.
3379 * trimmed-graph.cc: New file.
3380 * trimmed-graph.h: New file.
3381
33822021-03-11 David Malcolm <dmalcolm@redhat.com>
3383
3384 * diagnostic-manager.cc (epath_finder::epath_finder):
3385 Update shortest_paths init for new param.
3386
e9800852
GA		 33872021-03-10 David Malcolm <dmalcolm@redhat.com>
3388
3389 PR analyzer/96374
3390 * engine.cc (exploded_path::feasible_p): Move "snodes_visited" and
3391 "model" locals into a new class feasibility_state. Move heart
3392 of per-edge processing into
3393 feasibility_state::maybe_update_for_edge.
3394 (feasibility_state::feasibility_state): New.
3395 (feasibility_state::maybe_update_for_edge): New, based on loop
3396 body in exploded_path::feasible_p.
3397 * exploded-graph.h (class feasibility_state): New.
3398
33992021-03-10 David Malcolm <dmalcolm@redhat.com>
3400
3401 * supergraph.h
3402 (callgraph_superedge::dyn_cast_callgraph_superedge): New.
3403 (call_superedge::dyn_cast_callgraph_superedge): Delete.
3404 (return_superedge::dyn_cast_callgraph_superedge): Delete.
3405
d97a92dc
GA		 34062021-03-02 Martin Liska <mliska@suse.cz>
3407
3408 * diagnostic-manager.cc (diagnostic_manager::emit_saved_diagnostics):
3409 Do not pass engine.
3410
06a9f20f
GA		 34112021-02-26 David Malcolm <dmalcolm@redhat.com>
3412
3413 * engine.cc (exploded_path::exploded_path): New copy-ctor.
3414 * exploded-graph.h (exploded_path::operator=): Drop decl.
3415
34162021-02-26 David Malcolm <dmalcolm@redhat.com>
3417
3418 PR analyzer/96374
3419 * diagnostic-manager.cc (class epath_finder): New.
3420 (epath_finder::get_best_epath): New.
3421 (saved_diagnostic::saved_diagnostic): Update for replacement of
3422 m_state and m_epath_length with m_best_epath.
3423 (saved_diagnostic::~saved_diagnostic): Delete m_best_epath.
3424 (saved_diagnostic::to_json): Update "path_length" to be optional.
3425 (saved_diagnostic::calc_best_epath): New, based on
3426 dedupe_winners::add and parts of dedupe_key::dedupe_key.
3427 (saved_diagnostic::get_epath_length): New.
3428 (saved_diagnostic::add_duplicate): New.
3429 (dedupe_key::dedupe_key): Drop epath param. Move invocation of
3430 stmt_finder to saved_diagnostic::calc_best_epath.
3431 (class dedupe_candidate): Delete.
3432 (class dedupe_hash_map_traits): Update to use saved_diagnotic *
3433 rather than dedupe_candidate * as the value_type/compare_type.
3434 (dedupe_winners::~dedupe_winners): Don't delete the values.
3435 (dedupe_winners::add): Convert param from shortest_exploded_paths to
3436 epath_finder. Drop "eg" param. Drop dedupe_candidate, moving
3437 path generation and feasiblity checking to
3438 epath_finder::get_best_epath. Update winner-selection for move
3439 of epaths from dedupe_candidate to saved_diagnostic.
3440 (dedupe_winners::emit_best): Update for removal of class
3441 dedupe_candidate.
3442 (dedupe_winners::map_t): Update to use saved_diagnotic * rather
3443 than dedupe_candidate * as the value_type/compare_type.
3444 (diagnostic_manager::emit_saved_diagnostics): Move
3445 shortest_exploded_paths instance into epath_finder and pass that
3446 around instead.
3447 (diagnostic_manager::emit_saved_diagnostic): Drop epath, stmt
3448 and num_dupes params, instead getting these from the
3449 saved_diagnostic. Use correct location in inform_n call.
3450 * diagnostic-manager.h (class epath_finder): New forward decl.
3451 (saved_diagnostic::status): Drop enum.
3452 (saved_diagnostic::set_feasible): Drop.
3453 (saved_diagnostic::set_infeasible): Drop.
3454 (saved_diagnostic::get_status): Drop.
3455 (saved_diagnostic::calc_best_epath): New decl.
3456 (saved_diagnostic::get_best_epath): New decl.
3457 (saved_diagnostic::get_epath_length): New decl.
3458 (saved_diagnostic::set_epath_length): Drop.
3459 (saved_diagnostic::get_epath_length): Drop inline implementation.
3460 (saved_diagnostic::add_duplicate): New.
3461 (saved_diagnostic::get_num_dupes): New.
3462 (saved_diagnostic::m_d): Document ownership.
3463 (saved_diagnostic::m_trailing_eedge): Make const.
3464 (saved_diagnostic::m_status): Drop field.
3465 (saved_diagnostic::m_epath_length): Drop field.
3466 (saved_diagnostic::m_best_epath): New field.
3467 (saved_diagnostic::m_problem): Document ownership.
3468 (saved_diagnostic::m_duplicates): New field.
3469 (diagnostic_manager::emit_saved_diagnostic): Drop params epath,
3470 stmt, and num_dupes.
3471 * engine.cc (exploded_graph_annotator::print_saved_diagnostic):
3472 Update for changes to saved_diagnostic class.
3473 * exploded-graph.h (exploded_path::feasible_p): Drop unused
3474 overloaded decl.
3475
daa68844
GA		 34762021-02-25 David Malcolm <dmalcolm@redhat.com>
3477
3478 PR analyzer/99193
3479 * region-model-impl-calls.cc (region_model::impl_call_realloc): New.
3480 * region-model.cc (region_model::on_call_pre): Call it.
3481 * region-model.h (region_model::impl_call_realloc): New decl.
3482 * sm-malloc.cc (enum wording): Add WORDING_REALLOCATED.
3483 (malloc_state_machine::m_realloc): New field.
3484 (use_after_free::describe_state_change): Add case for
3485 WORDING_REALLOCATED.
3486 (use_after_free::describe_final_event): Likewise.
3487 (malloc_state_machine::malloc_state_machine): Initialize
3488 m_realloc.
3489 (malloc_state_machine::on_stmt): Handle realloc by calling...
3490 (malloc_state_machine::on_realloc_call): New.
3491
2f5765cf
GA		 34922021-02-22 David Malcolm <dmalcolm@redhat.com>
3493
3494 PR analyzer/99196
3495 * engine.cc (exploded_node::on_stmt): Provide terminate_path
3496 flag as a way for on_call_pre to terminate the current analysis
3497 path.
3498 * region-model-impl-calls.cc (call_details::num_args): New.
3499 (region_model::impl_call_error): New.
3500 * region-model.cc (region_model::on_call_pre): Add param
3501 "out_terminate_path". Handle "error" and "error_at_line".
3502 * region-model.h (call_details::num_args): New decl.
3503 (region_model::on_call_pre): Add param "out_terminate_path".
3504 (region_model::impl_call_error): New decl.
3505
acc0ee5c
GA		 35062021-02-17 David Malcolm <dmalcolm@redhat.com>
3507
3508 PR analyzer/98969
3509 * constraint-manager.cc (dead_svalue_purger::should_purge_p):
3510 Update for change to svalue::live_p.
3511 * program-state.cc (sm_state_map::on_liveness_change): Likewise.
3512 (program_state::detect_leaks): Likewise.
3513 * region-model-reachability.cc (reachable_regions::init_cluster):
3514 When dealing with a symbolic region, if the underlying pointer is
3515 implicitly live, add the region to the reachable regions.
3516 * region-model.cc (region_model::compare_initial_and_pointer):
3517 Move logic for detecting initial values of params to
3518 initial_svalue::initial_value_of_param_p.
3519 * svalue.cc (svalue::live_p): Convert "live_svalues" from a
3520 reference to a pointer; support it being NULL.
3521 (svalue::implicitly_live_p): Convert first param from a
3522 refererence to a pointer.
3523 (region_svalue::implicitly_live_p): Likewise.
3524 (constant_svalue::implicitly_live_p): Likewise.
3525 (initial_svalue::implicitly_live_p): Likewise. Treat the initial
3526 values of params for the top level frame as still live.
3527 (initial_svalue::initial_value_of_param_p): New function, taken
3528 from a test in region_model::compare_initial_and_pointer.
3529 (unaryop_svalue::implicitly_live_p): Convert first param from a
3530 refererence to a pointer.
3531 (binop_svalue::implicitly_live_p): Likewise.
3532 (sub_svalue::implicitly_live_p): Likewise.
3533 (unmergeable_svalue::implicitly_live_p): Likewise.
3534 * svalue.h (svalue::live_p): Likewise.
3535 (svalue::implicitly_live_p): Likewise.
3536 (region_svalue::implicitly_live_p): Likewise.
3537 (constant_svalue::implicitly_live_p): Likewise.
3538 (initial_svalue::implicitly_live_p): Likewise.
3539 (initial_svalue::initial_value_of_param_p): New decl.
3540 (unaryop_svalue::implicitly_live_p): Convert first param from a
3541 refererence to a pointer.
3542 (binop_svalue::implicitly_live_p): Likewise.
3543 (sub_svalue::implicitly_live_p): Likewise.
3544 (unmergeable_svalue::implicitly_live_p): Likewise.
3545
fab095da
GA		 35462021-02-12 David Malcolm <dmalcolm@redhat.com>
3547
3548 PR analyzer/98969
3549 * engine.cc (readability): Add names for the various arbitrary
3550 values. Handle NOP_EXPR and INTEGER_CST.
3551 (readability_comparator): Combine the readability tests for
3552 tree and stack depth, rather than performing them sequentially.
3553 (impl_region_model_context::on_state_leak): Strip off top-level
3554 casts.
3555 * region-model.cc (region_model::get_representative_path_var): Add
3556 type-checking, moving the bulk of the implementation to...
3557 (region_model::get_representative_path_var_1): ...here. Respect
3558 types in casts by recursing and re-adding the cast, rather than
3559 merely stripping them off. Use the correct type when handling
3560 region_svalue.
3561 (region_model::get_representative_tree): Strip off any top-level
3562 cast.
3563 (region_model::get_representative_path_var): Add type-checking,
3564 moving the bulk of the implementation to...
3565 (region_model::get_representative_path_var_1): ...here.
3566 * region-model.h (region_model::get_representative_path_var_1):
3567 New decl
3568 (region_model::get_representative_path_var_1): New decl.
3569 * store.cc (append_pathvar_with_type): New.
3570 (binding_cluster::get_representative_path_vars): Cast path_vars
3571 to the correct type when adding them to *OUT_PVS.
3572
0a91b73e
GA		 35732021-02-09 David Malcolm <dmalcolm@redhat.com>
3574
3575 PR analyzer/98575
3576 * sm-file.cc (is_file_using_fn_p): Support "_IO_"-prefixed
3577 variants.
3578
35792021-02-09 David Malcolm <dmalcolm@redhat.com>
3580
3581 PR analyzer/98575
3582 * store.cc (store::set_value): Treat a pointer written to *UNKNOWN
3583 as having escaped.
3584
548b75d8
GA		 35852021-02-02 David Malcolm <dmalcolm@redhat.com>
3586
3587 PR analyzer/93355
3588 PR analyzer/96374
3589 * engine.cc (toplevel_function_p): Simplify so that
3590 we only reject functions with a "__analyzer_" prefix.
3591 (add_any_callbacks): Delete.
3592 (exploded_graph::build_initial_worklist): Update for
3593 dropped param of toplevel_function_p.
3594 (exploded_graph::build_initial_worklist): Don't bother
3595 looking for callbacks that are reachable from global
3596 initializers.
3597
f7884fb1
GA		 35982021-02-01 David Malcolm <dmalcolm@redhat.com>
3599
3600 PR analyzer/98918
3601 * region-model-manager.cc
3602 (region_model_manager::get_or_create_initial_value):
3603 Fold the initial value of *UNKNOWN_PTR to an UNKNOWN value.
3604 (region_model_manager::get_field_region): Fold the value
3605 of UNKNOWN_PTR->FIELD to *UNKNOWN_PTR_OF_&FIELD_TYPE.
3606
2900f2f2
GA		 36072021-01-29 David Malcolm <dmalcolm@redhat.com>
3608
3609 * checker-path.cc (event_kind_to_string): Handle
3610 EK_START_CONSOLIDATED_CFG_EDGES and
3611 EK_END_CONSOLIDATED_CFG_EDGES.
3612 (start_consolidated_cfg_edges_event::get_desc): New.
3613 (checker_path::cfg_edge_pair_at_p): New.
3614 * checker-path.h (enum event_kind): Add
3615 EK_START_CONSOLIDATED_CFG_EDGES and
3616 EK_END_CONSOLIDATED_CFG_EDGES.
3617 (class start_consolidated_cfg_edges_event): New class.
3618 (class end_consolidated_cfg_edges_event): New class.
3619 (checker_path::delete_events): New.
3620 (checker_path::replace_event): New.
3621 (checker_path::cfg_edge_pair_at_p): New decl.
3622 * diagnostic-manager.cc (diagnostic_manager::prune_path): Call
3623 consolidate_conditions.
3624 (same_line_as_p): New.
3625 (diagnostic_manager::consolidate_conditions): New.
3626 * diagnostic-manager.h
3627 (diagnostic_manager::consolidate_conditions): New decl.
3628
ef1f8ee6
GA		 36292021-01-18 David Malcolm <dmalcolm@redhat.com>
3630
3631 * analyzer.h (is_std_named_call_p): New decl.
3632 * diagnostic-manager.cc (path_builder::get_sm): New.
3633 (state_change_event_creator::state_change_event_creator): Add "pb"
3634 param.
3635 (state_change_event_creator::on_global_state_change): Don't consider
3636 state changes affecting other state_machines.
3637 (state_change_event_creator::on_state_change): Likewise.
3638 (state_change_event_creator::m_pb): New field.
3639 (diagnostic_manager::add_events_for_eedge): Pass pb to visitor
3640 ctor.
3641 * region-model-impl-calls.cc
3642 (region_model::impl_deallocation_call): New.
3643 * region-model.cc: Include "attribs.h".
3644 (region_model::on_call_post): Handle fndecls referenced by
3645 __attribute__((deallocated_by(FOO))).
3646 * region-model.h (region_model::impl_deallocation_call): New decl.
3647 * sm-malloc.cc: Include "stringpool.h" and "attribs.h". Add
3648 leading comment.
3649 (class api): Delete.
3650 (enum resource_state): Update comment for change from api to
3651 deallocator and deallocator_set.
3652 (allocation_state::allocation_state): Drop api param. Add
3653 "deallocators" and "deallocator".
3654 (allocation_state::m_api): Drop field in favor of...
3655 (allocation_state::m_deallocators): New field.
3656 (allocation_state::m_deallocator): New field.
3657 (enum wording): Add WORDING_DEALLOCATED.
3658 (struct deallocator): New.
3659 (struct standard_deallocator): New.
3660 (struct custom_deallocator): New.
3661 (struct deallocator_set): New.
3662 (struct custom_deallocator_set): New.
3663 (struct standard_deallocator_set): New.
3664 (struct deallocator_set_map_traits): New.
3665 (malloc_state_machine::m_malloc): Drop field
3666 (malloc_state_machine::m_scalar_new): Likewise.
3667 (malloc_state_machine::m_vector_new): Likewise.
3668 (malloc_state_machine::m_free): New field
3669 (malloc_state_machine::m_scalar_delete): Likewise.
3670 (malloc_state_machine::m_vector_delete): Likewise.
3671 (malloc_state_machine::deallocator_map_t): New typedef.
3672 (malloc_state_machine::m_deallocator_map): New field.
3673 (malloc_state_machine::deallocator_set_cache_t): New typedef.
3674 (malloc_state_machine::m_custom_deallocator_set_cache): New field.
3675 (malloc_state_machine::custom_deallocator_set_map_t): New typedef.
3676 (malloc_state_machine::m_custom_deallocator_set_map): New field.
3677 (malloc_state_machine::m_dynamic_sets): New field.
3678 (malloc_state_machine::m_dynamic_deallocators): New field.
3679 (api::api): Delete.
3680 (deallocator::deallocator): New ctor.
3681 (deallocator::hash): New.
3682 (deallocator::dump_to_pp): New.
3683 (deallocator::cmp): New.
3684 (deallocator::cmp_ptr_ptr): New.
3685 (standard_deallocator::standard_deallocator): New ctor.
3686 (deallocator_set::deallocator_set): New ctor.
3687 (deallocator_set::dump): New.
3688 (custom_deallocator_set::custom_deallocator_set): New ctor.
3689 (custom_deallocator_set::contains_p): New.
3690 (custom_deallocator_set::maybe_get_single): New.
3691 (custom_deallocator_set::dump_to_pp): New.
3692 (standard_deallocator_set::standard_deallocator_set): New ctor.
3693 (standard_deallocator_set::contains_p): New.
3694 (standard_deallocator_set::maybe_get_single): New.
3695 (standard_deallocator_set::dump_to_pp): New.
3696 (start_p): New.
3697 (class mismatching_deallocation): Update for conversion from api
3698 to deallocator_set and deallocator.
3699 (double_free::emit): Use %qs.
3700 (class use_after_free): Update for conversion from api to
3701 deallocator_set and deallocator.
3702 (malloc_leak::describe_state_change): Only emit "allocated here" on
3703 a start->nonnull transition, rather than on other transitions to
3704 nonnull.
3705 (allocation_state::dump_to_pp): Update for conversion from api to
3706 deallocator_set.
3707 (allocation_state::get_nonnull): Likewise.
3708 (malloc_state_machine::malloc_state_machine): Likewise.
3709 (malloc_state_machine::~malloc_state_machine): New.
3710 (malloc_state_machine::add_state): Update for conversion from api
3711 to deallocator_set.
3712 (malloc_state_machine::get_or_create_custom_deallocator_set): New.
3713 (malloc_state_machine::maybe_create_custom_deallocator_set): New.
3714 (malloc_state_machine::get_or_create_deallocator): New.
3715 (malloc_state_machine::on_stmt): Update for conversion from api
3716 to deallocator_set. Handle "__attribute__((malloc(FOO)))", and
3717 the special attribute set on FOO.
3718 (malloc_state_machine::on_allocator_call): Update for conversion
3719 from api to deallocator_set. Add "returns_nonnull" param and use
3720 it to affect which state to transition to.
3721 (malloc_state_machine::on_deallocator_call): Update for conversion
3722 from api to deallocator_set.
3723
5fff80fd
GA		 37242021-01-14 David Malcolm <dmalcolm@redhat.com>
3725
3726 * engine.cc (strongly_connected_components::to_json): New.
3727 (worklist::to_json): New.
3728 (exploded_graph::to_json): JSON-ify the worklist.
3729 * exploded-graph.h (strongly_connected_components::to_json): New
3730 decl.
3731 (worklist::to_json): New decl.
3732 * store.cc (store::to_json): Fix comment.
3733 * supergraph.cc (supernode::to_json): Fix reference to
3734 "returning_call" in comment. Add optional "fun" to JSON.
3735 (edge_kind_to_string): New.
3736 (superedge::to_json): Add "kind" to JSON.
3737
37382021-01-14 David Malcolm <dmalcolm@redhat.com>
3739
3740 PR analyzer/98679
3741 * analyzer.h (region_offset::operator==): Make const.
3742 * pending-diagnostic.h (pending_diagnostic::equal_p): Likewise.
3743 * store.h (binding_cluster::for_each_value): Likewise.
3744 (binding_cluster::for_each_binding): Likewise.
3745
6851dda2
GA		 37462021-01-12 David Malcolm <dmalcolm@redhat.com>
3747
3748 PR analyzer/98628
3749 * store.cc (binding_cluster::make_unknown_relative_to): Don't mark
3750 dereferenced unknown pointers as having escaped.
3751
7d187e4f
GA		 37522021-01-07 David Malcolm <dmalcolm@redhat.com>
3753
3754 PR analyzer/98580
3755 * region.cc (decl_region::get_svalue_for_initializer): Gracefully
3756 handle when LTO writes out DECL_INITIAL as error_mark_node.
3757
37582021-01-07 David Malcolm <dmalcolm@redhat.com>
3759
3760 PR analyzer/97074
3761 * store.cc (binding_cluster::can_merge_p): Add "out_store" param
3762 and pass to calls to binding_cluster::make_unknown_relative_to.
3763 (binding_cluster::make_unknown_relative_to): Add "out_store"
3764 param. Use it to mark base regions that are pointed to by
3765 pointers that become unknown as having escaped.
3766 (store::can_merge_p): Pass out_store to
3767 binding_cluster::can_merge_p.
3768 * store.h (binding_cluster::can_merge_p): Add "out_store" param.
3769 (binding_cluster::make_unknown_relative_to): Likewise.
3770 * svalue.cc (region_svalue::implicitly_live_p): New vfunc.
3771 * svalue.h (region_svalue::implicitly_live_p): New vfunc decl.
3772
37732021-01-07 David Malcolm <dmalcolm@redhat.com>
3774
3775 PR analyzer/98564
3776 * engine.cc (exploded_path::feasible_p): Add missing call to
3777 bitmap_clear.
3778
942ae5be
GA		 37792021-01-06 David Malcolm <dmalcolm@redhat.com>
3780
3781 PR analyzer/97072
3782 * region-model-reachability.cc (reachable_regions::init_cluster):
3783 Convert symbolic region handling to a switch statement. Add cases
3784 to handle SK_UNKNOWN and SK_CONJURED.
3785
651b8a50
GA		 37862021-01-05 David Malcolm <dmalcolm@redhat.com>
3787
3788 PR analyzer/98293
3789 * store.cc (binding_map::apply_ctor_to_region): When "index" is
3790 NULL, iterate through the fields for RECORD_TYPEs, rather than
3791 creating an INTEGER_CST index.
3792
94358e47
GA		 37932020-11-30 David Malcolm <dmalcolm@redhat.com>
3794
3795 * analyzer-pass.cc: Include "analyzer/analyzer.h" for the
3796 declaration of sorry_no_analyzer; include "tree.h" and
3797 "function.h" as these are needed by it.
3798
37992020-11-30 David Malcolm <dmalcolm@redhat.com>
3800
3801 * analyzer-pass.cc (pass_analyzer::execute): Move sorry call to...
3802 (sorry_no_analyzer): New.
3803 * analyzer.h (class state_machine): New forward decl.
3804 (class logger): New forward decl.
3805 (class plugin_analyzer_init_iface): New.
3806 (sorry_no_analyzer): New decl.
3807 * checker-path.cc (checker_path::fixup_locations): New.
3808 * checker-path.h (checker_event::set_location): New.
3809 (checker_path::fixup_locations): New decl.
3810 * diagnostic-manager.cc
3811 (diagnostic_manager::emit_saved_diagnostic): Call
3812 checker_path::fixup_locations, and call fixup_location
3813 on the primary location.
3814 * engine.cc: Include "plugin.h".
3815 (class plugin_analyzer_init_impl): New.
3816 (impl_run_checkers): Invoke PLUGIN_ANALYZER_INIT callbacks.
3817 * pending-diagnostic.h (pending_diagnostic::fixup_location): New
3818 vfunc.
3819
25bb75f8
GA		 38202020-11-18 David Malcolm <dmalcolm@redhat.com>
3821
3822 PR analyzer/97893
3823 * sm-malloc.cc (null_deref::emit): Use CWE-476 rather than
3824 CWE-690, as this isn't due to an unchecked return value.
3825 (null_arg::emit): Likewise.
3826
a5a11525
GA		 38272020-11-12 David Malcolm <dmalcolm@redhat.com>
3828
3829 * checker-path.h (checker_event::get_id_ptr): New.
3830 * diagnostic-manager.cc (path_builder::path_builder): Add "sd"
3831 param and use it to initialize new field "m_sd".
3832 (path_builder::get_pending_diagnostic): New.
3833 (path_builder::m_sd): New field.
3834 (diagnostic_manager::emit_saved_diagnostic): Pass sd to
3835 path_builder ctor.
3836 (diagnostic_manager::add_events_for_superedge): Call new
3837 maybe_add_custom_events_for_superedge vfunc.
3838 * engine.cc (stale_jmp_buf::stale_jmp_buf): Add "setjmp_point"
3839 param and use it to initialize new field "m_setjmp_point".
3840 Initialize new field "m_stack_pop_event".
3841 (stale_jmp_buf::maybe_add_custom_events_for_superedge): New vfunc
3842 implementation.
3843 (stale_jmp_buf::describe_final_event): New vfunc implementation.
3844 (stale_jmp_buf::m_setjmp_point): New field.
3845 (stale_jmp_buf::m_stack_pop_event): New field.
3846 (exploded_node::on_longjmp): Pass setjmp_point to stale_jmp_buf
3847 ctor.
3848 * pending-diagnostic.h
3849 (pending_diagnostic::maybe_add_custom_events_for_superedge): New
3850 vfunc.
3851
38522020-11-12 David Malcolm <dmalcolm@redhat.com>
3853
3854 PR tree-optimization/97424
3855 * analyzer.opt (Wanalyzer-shift-count-negative): New.
3856 (Wanalyzer-shift-count-overflow): New.
3857 * region-model.cc (class shift_count_negative_diagnostic): New.
3858 (class shift_count_overflow_diagnostic): New.
3859 (region_model::get_gassign_result): Complain about shift counts that
3860 are negative or are >= the operand's type's width.
3861
bb622641
GA		 38622020-11-10 Martin Liska <mliska@suse.cz>
3863
3864 * constraint-manager.cc (constraint_manager::merge): Remove
3865 unused code.
3866 * constraint-manager.h: Likewise.
3867 * program-state.cc (sm_state_map::sm_state_map): Likewise.
3868 (program_state::program_state): Likewise.
3869 (test_sm_state_map): Likewise.
3870 * program-state.h: Likewise.
3871 * region-model-reachability.cc (reachable_regions::reachable_regions): Likewise.
3872 * region-model-reachability.h: Likewise.
3873 * region-model.cc (region_model::handle_unrecognized_call): Likewise.
3874 (region_model::get_reachable_svalues): Likewise.
3875 (region_model::can_merge_with_p): Likewise.
3876
0cfd9109
GA		 38772020-11-05 David Malcolm <dmalcolm@redhat.com>
3878
3879 PR analyzer/97668
3880 * svalue.cc (cmp_cst): Handle COMPLEX_CST.
3881
e93aae4a
GA		 38822020-10-29 David Malcolm <dmalcolm@redhat.com>
3883
3884 * program-state.cc (sm_state_map::on_liveness_change): Sort the
3885 leaking svalues before calling on_state_leak.
3886 (program_state::detect_leaks): Likewise when calling
3887 on_svalue_leak.
3888 * region-model-reachability.cc
3889 (reachable_regions::mark_escaped_clusters): Likewise when
3890 calling on_escaped_function.
3891
38922020-10-29 David Malcolm <dmalcolm@redhat.com>
3893
3894 PR analyzer/97608
3895 * region-model-reachability.cc (reachable_regions::handle_sval):
3896 Operands of reachable reversible operations are reachable.
3897
38982020-10-29 David Malcolm <dmalcolm@redhat.com>
3899
3900 * analyzer.h (class state_machine): New forward decl.
3901 (class logger): Likewise.
3902 (class visitor): Likewise.
3903 * complexity.cc: New file, taken from svalue.cc.
3904 * complexity.h: New file, taken from region-model.h.
3905 * region-model.h: Include "analyzer/svalue.h" and
3906 "analyzer/region.h". Move struct complexity to complexity.h.
3907 Move svalue, its subclasses and supporting decls to svalue.h.
3908 Move region, its subclasses and supporting decls to region.h.
3909 * region.cc: Include "analyzer/region.h".
3910 (symbolic_region::symbolic_region): Move here from region-model.h.
3911 * region.h: New file, based on material from region-model.h.
3912 * svalue.cc: Include "analyzer/svalue.h".
3913 (complexity::complexity): Move to complexity.cc.
3914 (complexity::from_pair): Likewise.
3915 * svalue.h: New file, based on material from region-model.h.
3916
39172020-10-29 David Malcolm <dmalcolm@redhat.com>
3918
3919 * program-state.cc (sm_state_map::print): Guard the printing of
3920 the origin pointer with !flag_dump_noaddr.
3921 * region.cc (string_region::dump_to_pp): Likewise for
3922 m_string_cst.
3923
89bb01e7
GA		 39242020-10-27 David Malcolm <dmalcolm@redhat.com>
3925
3926 PR analyzer/97568
3927 * region-model.cc (region_model::get_initial_value_for_global):
3928 Move check that !DECL_EXTERNAL from here to...
3929 * region.cc (decl_region::get_svalue_for_initializer): ...here,
3930 using it to reject zero initialization.
3931
39322020-10-27 Markus Böck <markus.boeck02@gmail.com>
3933
3934 PR analyzer/96608
3935 * store.h (hash): Cast to intptr_t instead of long
3936
39372020-10-27 David Malcolm <dmalcolm@redhat.com>
3938
3939 * constraint-manager.cc (svalue_cmp_by_ptr): Delete.
3940 (equiv_class::canonicalize): Use svalue::cmp_ptr_ptr instead.
3941 (equiv_class_cmp): Eliminate pointer comparison.
3942 * diagnostic-manager.cc (dedupe_key::comparator): If they are at
3943 the same location, also compare epath ength and pending_diagnostic
3944 kind.
3945 * engine.cc (readability_comparator): If two path_vars have the
3946 same readability, then impose an arbitrary ordering on them.
3947 (worklist::key_t::cmp): If two points have the same plan ordering,
3948 continue the comparison. Call sm_state_map::cmp rather than
3949 comparing hash values.
3950 * program-state.cc (sm_state_map::entry_t::cmp): New.
3951 (sm_state_map::cmp): New.
3952 * program-state.h (sm_state_map::entry_t::cmp): New decl.
3953 (sm_state_map::elements): New.
3954 (sm_state_map::cmp): New.
3955
39562020-10-27 David Malcolm <dmalcolm@redhat.com>
3957
3958 * engine.cc (setjmp_record::cmp): New.
3959 (supernode_cluster::dump_dot): Avoid embedding pointer in cluster
3960 name.
3961 (supernode_cluster::cmp_ptr_ptr): New.
3962 (function_call_string_cluster::dump_dot): Avoid embedding pointer
3963 in cluster name. Sort m_map when dumping child clusters.
3964 (function_call_string_cluster::cmp_ptr_ptr): New.
3965 (root_cluster::dump_dot): Sort m_map when dumping child clusters.
3966 * program-point.cc (function_point::cmp): New.
3967 (function_point::cmp_ptr): New.
3968 * program-point.h (function_point::cmp): New decl.
3969 (function_point::cmp_ptr): New decl.
3970 * program-state.cc (sm_state_map::print): Sort the values. Guard
3971 the printing of pointers with !flag_dump_noaddr.
3972 (program_state::prune_for_point): Sort the regions.
3973 (log_set_of_svalues): Sort the values. Guard the printing of
3974 pointers with !flag_dump_noaddr.
3975 * region-model-manager.cc (log_uniq_map): Sort the values.
3976 * region-model-reachability.cc (dump_set): New function template.
3977 (reachable_regions::dump_to_pp): Use it.
3978 * region-model.h (svalue::cmp_ptr): New decl.
3979 (svalue::cmp_ptr_ptr): New decl.
3980 (setjmp_record::cmp): New decl.
3981 (placeholder_svalue::get_name): New accessor.
3982 (widening_svalue::get_point): New accessor.
3983 (compound_svalue::get_map): New accessor.
3984 (conjured_svalue::get_stmt): New accessor.
3985 (conjured_svalue::get_id_region): New accessor.
3986 (region::cmp_ptrs): Rename to...
3987 (region::cmp_ptr_ptr): ...this.
3988 * region.cc (region::cmp_ptrs): Rename to...
3989 (region::cmp_ptr_ptr): ...this.
3990 * state-purge.cc
3991 (state_purge_per_ssa_name::state_purge_per_ssa_name): Sort
3992 m_points_needing_name when dumping.
3993 * store.cc (concrete_binding::cmp_ptr_ptr): New.
3994 (symbolic_binding::cmp_ptr_ptr): New.
3995 (binding_map::cmp): New.
3996 (get_sorted_parent_regions): Update for renaming of
3997 region::cmp_ptrs to region::cmp_ptr_ptr.
3998 (store::dump_to_pp): Likewise.
3999 (store::to_json): Likewise.
4000 (store::can_merge_p): Sort the base regions before considering
4001 them.
4002 * store.h (concrete_binding::cmp_ptr_ptr): New decl.
4003 (symbolic_binding::cmp_ptr_ptr): New decl.
4004 (binding_map::cmp): New decl.
4005 * supergraph.cc (supergraph::supergraph): Assign UIDs to the
4006 gimple stmts.
4007 * svalue.cc (cmp_cst): New.
4008 (svalue::cmp_ptr): New.
4009 (svalue::cmp_ptr_ptr): New.
4010
40112020-10-27 David Malcolm <dmalcolm@redhat.com>
4012
4013 * engine.cc (exploded_graph::get_or_create_node): Fix off-by-one
4014 when imposing param_analyzer_max_enodes_per_program_point limit.
4015
40162020-10-27 David Malcolm <dmalcolm@redhat.com>
4017
4018 * region-model.cc (region_model::get_representative_path_var):
4019 Implement case RK_LABEL.
4020 * region-model.h (label_region::get_label): New accessor.
4021
43868df3
GA		 40222020-10-22 David Malcolm <dmalcolm@redhat.com>
4023
4024 PR analyzer/97514
4025 * engine.cc (exploded_graph::add_function_entry): Handle failure
4026 to create an enode, rather than asserting.
4027
40282020-10-22 David Malcolm <dmalcolm@redhat.com>
4029
4030 PR analyzer/97489
4031 * engine.cc (exploded_graph::add_function_entry): Assert that we
4032 have a function body.
4033 (exploded_graph::on_escaped_function): Reject fndecls that don't
4034 have a function body.
4035
b2698c21
GA		 40362020-10-14 David Malcolm <dmalcolm@redhat.com>
4037
4038 PR analyzer/93388
4039 * region-model.cc (region_model::get_initial_value_for_global):
4040 Fall back to returning an initial_svalue if
4041 decl_region::get_svalue_for_initializer fails.
4042 * region.cc (decl_region::get_svalue_for_initializer): Don't
4043 attempt to create a compound_svalue if the region has an unknown
4044 size.
4045
40462020-10-14 David Malcolm <dmalcolm@redhat.com>
4047
4048 PR analyzer/93723
4049 * store.cc (binding_map::apply_ctor_to_region): Remove redundant
4050 assertion.
4051
8be127ca
GA		 40522020-10-12 David Malcolm <dmalcolm@redhat.com>
4053
4054 PR analyzer/97258
4055 * engine.cc (impl_region_model_context::on_escaped_function): New
4056 vfunc.
4057 (exploded_graph::add_function_entry): Use m_functions_with_enodes
4058 to implement idempotency.
4059 (add_any_callbacks): New.
4060 (exploded_graph::build_initial_worklist): Use the above to find
4061 callbacks that are reachable from global initializers.
4062 (exploded_graph::on_escaped_function): New.
4063 * exploded-graph.h
4064 (impl_region_model_context::on_escaped_function): New decl.
4065 (exploded_graph::on_escaped_function): New decl.
4066 (exploded_graph::m_functions_with_enodes): New field.
4067 * region-model-reachability.cc
4068 (reachable_regions::reachable_regions): Replace "store" param with
4069 "model" param; use it to initialize m_model.
4070 (reachable_regions::add): When getting the svalue for the region,
4071 call get_store_value on the model rather than using an initial
4072 value.
4073 (reachable_regions::mark_escaped_clusters): Add ctxt param and
4074 use it to call on_escaped_function when a function_region escapes.
4075 * region-model-reachability.h
4076 (reachable_regions::reachable_regions): Replace "store" param with
4077 "model" param.
4078 (reachable_regions::mark_escaped_clusters): Add ctxt param.
4079 (reachable_regions::m_model): New field.
4080 * region-model.cc (region_model::handle_unrecognized_call): Update
4081 for change in reachable_regions ctor.
4082 (region_model::handle_unrecognized_call): Pass ctxt to
4083 mark_escaped_clusters.
4084 (region_model::get_reachable_svalues): Update for change in
4085 reachable_regions ctor.
4086 (region_model::get_initial_value_for_global): Read-only variables
4087 keep their initial values.
4088 * region-model.h (region_model_context::on_escaped_function): New
4089 vfunc.
4090 (noop_region_model_context::on_escaped_function): New.
4091
40922020-10-12 David Malcolm <dmalcolm@redhat.com>
4093
4094 * analyzer.opt (Wanalyzer-write-to-const): New.
4095 (Wanalyzer-write-to-string-literal): New.
4096 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
4097 Call check_for_writable_region.
4098 (region_model::impl_call_memset): Likewise.
4099 (region_model::impl_call_strcpy): Likewise.
4100 * region-model.cc (class write_to_const_diagnostic): New.
4101 (class write_to_string_literal_diagnostic): New.
4102 (region_model::check_for_writable_region): New.
4103 (region_model::set_value): Call check_for_writable_region.
4104 * region-model.h (region_model::check_for_writable_region): New
4105 decl.
4106
6caec77e
GA		 41072020-10-07 David Malcolm <dmalcolm@redhat.com>
4108
4109 PR analyzer/97116
4110 * sm-malloc.cc (method_p): New.
4111 (describe_argument_index): New.
4112 (inform_nonnull_attribute): Use describe_argument_index.
4113 (possible_null_arg::describe_final_event): Likewise.
4114 (null_arg::describe_final_event): Likewise.
4115
93bca37c
GA		 41162020-09-29 David Malcolm <dmalcolm@redhat.com>
4117
4118 PR analyzer/95188
4119 * engine.cc (stmt_requires_new_enode_p): Split enodes before
4120 "signal" calls.
4121
41222020-09-29 David Malcolm <dmalcolm@redhat.com>
4123
4124 * constraint-manager.cc
4125 (constraint_manager::add_constraint_internal): Whitespace fixes.
4126 Silence -Wsign-compare warning.
4127 * engine.cc (maybe_process_run_of_before_supernode_enodes):
4128 Silence -Wsign-compare warning.
4129
e84761c6
GA		 41302020-09-28 David Malcolm <dmalcolm@redhat.com>
4131
4132 * region-model.h (binop_svalue::dyn_cast_binop_svalue): Remove
4133 redundant "virtual". Add FINAL OVERRIDE.
4134 (widening_svalue::dyn_cast_widening_svalue): Add FINAL OVERRIDE.
4135 (compound_svalue::dyn_cast_compound_svalue): Likewise.
4136 (conjured_svalue::dyn_cast_conjured_svalue): Likewise.
4137
41382020-09-28 David Malcolm <dmalcolm@redhat.com>
4139
4140 * diagnostic-manager.cc (null_assignment_sm_context::m_visitor):
4141 Remove unused field.
4142
41432020-09-28 David Malcolm <dmalcolm@redhat.com>
4144
4145 PR analyzer/97233
4146 * analyzer.cc (is_longjmp_call_p): Require the initial argument
4147 to be a pointer.
4148 * engine.cc (exploded_node::on_longjmp): Likewise.
4149
41502020-09-28 David Malcolm <dmalcolm@redhat.com>
4151
4152 * program-state.cc (sm_state_map::print): Update check
4153 for m_global_state being the start state.
4154
91dd4a38
GA		 41552020-09-26 David Malcolm <dmalcolm@redhat.com>
4156
4157 PR analyzer/96646
4158 PR analyzer/96841
4159 * region-model.cc (region_model::get_representative_path_var):
4160 When handling offset_region, wrap the MEM_REF's first argument in
4161 an ADDR_EXPR of pointer type, rather than simply using the tree
4162 for the parent region. Require the MEM_REF's second argument to
4163 be an integer constant.
4164
a2b7397b
GA		 41652020-09-24 David Malcolm <dmalcolm@redhat.com>
4166
4167 * analyzer.h (struct rejected_constraint): New decl.
4168 * analyzer.opt (fanalyzer-feasibility): New option.
4169 * diagnostic-manager.cc (path_builder::path_builder): Add
4170 "problem" param and use it to initialize new field.
4171 (path_builder::get_feasibility_problem): New accessor.
4172 (path_builder::m_feasibility_problem): New field.
4173 (dedupe_winners::add): Remove inversion of logic in "if" clause,
4174 swapping if/else suites. In the !feasible_p suite, inspect
4175 flag_analyzer_feasibility and add code to handle when this
4176 is off, accepting the infeasible path, but recording the
4177 feasibility_problem.
4178 (diagnostic_manager::emit_saved_diagnostic): Pass the
4179 feasibility_problem to the path_builder.
4180 (diagnostic_manager::add_events_for_eedge): If we have
4181 a feasibility_problem at this edge, use it to add a custom event.
4182 * engine.cc (exploded_path::feasible_p): Pass a
4183 rejected_constraint ** to model.maybe_update_for_edge and transfer
4184 ownership of any created instance to any feasibility_problem.
4185 (feasibility_problem::dump_to_pp): New.
4186 * exploded-graph.h (feasibility_problem::feasibility_problem):
4187 Drop "model" param; add rejected_constraint * param.
4188 (feasibility_problem::~feasibility_problem): New.
4189 (feasibility_problem::dump_to_pp): New decl.
4190 (feasibility_problem::m_model): Drop field.
4191 (feasibility_problem::m_rc): New field.
4192 * program-point.cc (function_point::get_location): Handle
4193 PK_BEFORE_SUPERNODE and PK_AFTER_SUPERNODE.
4194 * program-state.cc (program_state::on_edge): Pass NULL to new
4195 param of region_model::maybe_update_for_edge.
4196 * region-model.cc (region_model::add_constraint): New overload
4197 adding a rejected_constraint ** param.
4198 (region_model::maybe_update_for_edge): Add rejected_constraint **
4199 param and pass it to the various apply_constraints_for_ calls.
4200 (region_model::apply_constraints_for_gcond): Add
4201 rejected_constraint ** param and pass it to add_constraint calls.
4202 (region_model::apply_constraints_for_gswitch): Likewise.
4203 (region_model::apply_constraints_for_exception): Likewise.
4204 (rejected_constraint::dump_to_pp): New.
4205 * region-model.h (region_model::maybe_update_for_edge):
4206 Add rejected_constraint ** param.
4207 (region_model::add_constraint): New overload adding a
4208 rejected_constraint ** param.
4209 (region_model::apply_constraints_for_gcond): Add
4210 rejected_constraint ** param.
4211 (region_model::apply_constraints_for_gswitch): Likewise.
4212 (region_model::apply_constraints_for_exception): Likewise.
4213 (struct rejected_constraint): New.
4214
82b77dee
GA		 42152020-09-23 David Malcolm <dmalcolm@redhat.com>
4216
4217 PR analyzer/97178
4218 * engine.cc (impl_run_checkers): Update for change to ext_state
4219 ctor.
4220 * program-state.cc (selftest::test_sm_state_map): Pass an engine
4221 instance to ext_state ctor.
4222 (selftest::test_program_state_1): Likewise.
4223 (selftest::test_program_state_2): Likewise.
4224 (selftest::test_program_state_merging): Likewise.
4225 (selftest::test_program_state_merging_2): Likewise.
4226 * program-state.h (extrinsic_state::extrinsic_state): Remove NULL
4227 default value for "eng" param.
4228
42292020-09-23 Tobias Burnus <tobias@codesourcery.com>
4230
4231 * analyzer-logging.cc: Guard '#pragma ... ignored "-Wformat-diag"'
4232 by '#if __GNUC__ >= 10'
4233 * analyzer.h: Likewise.
4234 * call-string.cc: Likewise.
4235
42362020-09-23 David Malcolm <dmalcolm@redhat.com>
4237
4238 * engine.cc (exploded_node::on_stmt): Replace sequence of dyn_cast
4239 with switch.
4240
521d2711
GA		 42412020-09-22 David Malcolm <dmalcolm@redhat.com>
4242
4243 * analysis-plan.cc: Include "json.h".
4244 * analyzer.opt (fdump-analyzer-json): New.
4245 * call-string.cc: Include "json.h".
4246 (call_string::to_json): New.
4247 * call-string.h (call_string::to_json): New decl.
4248 * checker-path.cc: Include "json.h".
4249 * constraint-manager.cc: Include "json.h".
4250 (equiv_class::to_json): New.
4251 (constraint::to_json): New.
4252 (constraint_manager::to_json): New.
4253 * constraint-manager.h (equiv_class::to_json): New decl.
4254 (constraint::to_json): New decl.
4255 (constraint_manager::to_json): New decl.
4256 * diagnostic-manager.cc: Include "json.h".
4257 (saved_diagnostic::to_json): New.
4258 (diagnostic_manager::to_json): New.
4259 * diagnostic-manager.h (saved_diagnostic::to_json): New decl.
4260 (diagnostic_manager::to_json): New decl.
4261 * engine.cc: Include "json.h", <zlib.h>.
4262 (exploded_node::status_to_str): New.
4263 (exploded_node::to_json): New.
4264 (exploded_edge::to_json): New.
4265 (exploded_graph::to_json): New.
4266 (dump_analyzer_json): New.
4267 (impl_run_checkers): Call it.
4268 * exploded-graph.h (exploded_node::status_to_str): New decl.
4269 (exploded_node::to_json): New.
4270 (exploded_edge::to_json): New.
4271 (exploded_graph::to_json): New.
4272 * pending-diagnostic.cc: Include "json.h".
4273 * program-point.cc: Include "json.h".
4274 (program_point::to_json): New.
4275 * program-point.h (program_point::to_json): New decl.
4276 * program-state.cc: Include "json.h".
4277 (extrinsic_state::to_json): New.
4278 (sm_state_map::to_json): New.
4279 (program_state::to_json): New.
4280 * program-state.h (extrinsic_state::to_json): New decl.
4281 (sm_state_map::to_json): New decl.
4282 (program_state::to_json): New decl.
4283 * region-model-impl-calls.cc: Include "json.h".
4284 * region-model-manager.cc: Include "json.h".
4285 * region-model-reachability.cc: Include "json.h".
4286 * region-model.cc: Include "json.h".
4287 * region-model.h (svalue::to_json): New decl.
4288 (region::to_json): New decl.
4289 * region.cc: Include "json.h".
4290 (region::to_json: New.
4291 * sm-file.cc: Include "json.h".
4292 * sm-malloc.cc: Include "json.h".
4293 * sm-pattern-test.cc: Include "json.h".
4294 * sm-sensitive.cc: Include "json.h".
4295 * sm-signal.cc: Include "json.h".
4296 (signal_delivery_edge_info_t::to_json): New.
4297 * sm-taint.cc: Include "json.h".
4298 * sm.cc: Include "diagnostic.h", "tree-diagnostic.h", and
4299 "json.h".
4300 (state_machine::state::to_json): New.
4301 (state_machine::to_json): New.
4302 * sm.h (state_machine::state::to_json): New.
4303 (state_machine::to_json): New.
4304 * state-purge.cc: Include "json.h".
4305 * store.cc: Include "json.h".
4306 (binding_key::get_desc): New.
4307 (binding_map::to_json): New.
4308 (binding_cluster::to_json): New.
4309 (store::to_json): New.
4310 * store.h (binding_key::get_desc): New decl.
4311 (binding_map::to_json): New decl.
4312 (binding_cluster::to_json): New decl.
4313 (store::to_json): New decl.
4314 * supergraph.cc: Include "json.h".
4315 (supergraph::to_json): New.
4316 (supernode::to_json): New.
4317 (superedge::to_json): New.
4318 * supergraph.h (supergraph::to_json): New decl.
4319 (supernode::to_json): New decl.
4320 (superedge::to_json): New decl.
4321 * svalue.cc: Include "json.h".
4322 (svalue::to_json): New.
4323
44135373
GA		 43242020-09-21 David Malcolm <dmalcolm@redhat.com>
4325
4326 PR analyzer/97130
4327 * region-model-impl-calls.cc (call_details::get_arg_type): New.
4328 * region-model.cc (region_model::on_call_pre): Check that the
4329 initial arg is a pointer before calling impl_call_memset and
4330 impl_call_strlen.
4331 * region-model.h (call_details::get_arg_type): New decl.
4332
43332020-09-21 David Malcolm <dmalcolm@redhat.com>
4334
4335 PR analyzer/93355
4336 * sm-malloc.cc (malloc_state_machine::get_default_state): Look at
4337 the base region when considering pointers. Treat pointers to
4338 decls as being non-heap.
4339
239601c5
GA		 43402020-09-18 David Malcolm <dmalcolm@redhat.com>
4341
4342 * checker-path.cc (warning_event::get_desc): Handle global state
4343 changes.
4344
43452020-09-18 David Malcolm <dmalcolm@redhat.com>
4346
4347 * sm-malloc.cc (malloc_state_machine::on_stmt): Handle strdup and
4348 strndup as being malloc-like allocators.
4349
ecde1b0a
GA		 43502020-09-16 David Malcolm <dmalcolm@redhat.com>
4351
4352 * engine.cc (strongly_connected_components::strong_connect): Only
4353 consider intraprocedural edges when creating SCCs.
4354 (worklist::key_t::cmp): Add comment. Treat call_string
4355 differences as more important than differences of program_point
4356 within a supernode.
4357
43582020-09-16 David Malcolm <dmalcolm@redhat.com>
4359
4360 * engine.cc (supernode_cluster::dump_dot): Show the SCC id
4361 in the per-supernode clusters in FILENAME.eg.dot output.
4362 (exploded_graph_annotator::add_node_annotations):
4363 Show the SCC of the supernode in FILENAME.supernode.eg.dot output.
4364 * exploded-graph.h (worklist::scc_id): New.
4365 (exploded_graph::get_scc_id): New.
4366
43672020-09-16 David Malcolm <dmalcolm@redhat.com>
4368
4369 * engine.cc (exploded_node::dump_dot): Show STATUS_BULK_MERGED.
4370 (exploded_graph::process_worklist): Call
4371 maybe_process_run_of_before_supernode_enodes.
4372 (exploded_graph::maybe_process_run_of_before_supernode_enodes):
4373 New.
4374 (exploded_graph_annotator::print_enode): Show STATUS_BULK_MERGED.
4375 * exploded-graph.h (enum exploded_node::status): Add
4376 STATUS_BULK_MERGED.
4377
43782020-09-16 David Malcolm <dmalcolm@redhat.com>
4379
4380 * engine.cc
4381 (exploded_graph::process_node) <case PK_BEFORE_SUPERNODE>:
4382 Simplify by using program_point::get_next.
4383 * program-point.cc (program_point::get_next): New.
4384 * program-point.h (program_point::get_next): New decl.
4385
43862020-09-16 David Malcolm <dmalcolm@redhat.com>
4387
4388 * engine.cc (exploded_graph::get_or_create_node): Show the
4389 program point when issuing -Wanalyzer-too-complex due to hitting
4390 the per-program-point limit.
4391
43922020-09-16 David Malcolm <dmalcolm@redhat.com>
4393
4394 * region-model.cc (region_model::on_call_pre): Treat getchar as
4395 having no side-effects.
4396
9f7ab8c5
GA		 43972020-09-15 David Malcolm <dmalcolm@redhat.com>
4398
4399 PR analyzer/96650
4400 * constraint-manager.cc (merger_fact_visitor::on_fact): Replace
4401 assertion that add_constraint succeeded with an assertion that
4402 if it fails, -fanalyzer-transitivity is off.
4403
50a71cd0
GA		 44042020-09-14 David Malcolm <dmalcolm@redhat.com>
4405
4406 * analyzer.opt (-param=analyzer-max-constraints=): New param.
4407 * constraint-manager.cc
4408 (constraint_manager::add_constraint_internal): Silently reject
4409 attempts to add constraints when the above limit is reached.
4410
44112020-09-14 David Malcolm <dmalcolm@redhat.com>
4412
4413 PR analyzer/96653
4414 * constraint-manager.cc
4415 (constraint_manager::get_or_add_equiv_class): Don't accumulate
4416 transitive closure of all constraints on constants.
4417
44182020-09-14 David Malcolm <dmalcolm@redhat.com>
4419
4420 PR analyzer/97029
4421 * analyzer.cc (is_setjmp_call_p): Require the initial arg to be a
4422 pointer.
4423 * region-model.cc (region_model::deref_rvalue): Assert that the
4424 svalue is of pointer type.
4425
ac35c090
GA		 44262020-09-11 David Malcolm <dmalcolm@redhat.com>
4427
4428 PR analyzer/96798
4429 * region-model-impl-calls.cc (region_model::impl_call_memcpy):
4430 New.
4431 (region_model::impl_call_strcpy): New.
4432 * region-model.cc (region_model::on_call_pre): Flag unhandled
4433 builtins that are non-pure as having unknown side-effects.
4434 Implement BUILT_IN_MEMCPY, BUILT_IN_MEMCPY_CHK, BUILT_IN_STRCPY,
4435 BUILT_IN_STRCPY_CHK, BUILT_IN_FPRINTF, BUILT_IN_FPRINTF_UNLOCKED,
4436 BUILT_IN_PUTC, BUILT_IN_PUTC_UNLOCKED, BUILT_IN_FPUTC,
4437 BUILT_IN_FPUTC_UNLOCKED, BUILT_IN_FPUTS, BUILT_IN_FPUTS_UNLOCKED,
4438 BUILT_IN_FWRITE, BUILT_IN_FWRITE_UNLOCKED, BUILT_IN_PRINTF,
4439 BUILT_IN_PRINTF_UNLOCKED, BUILT_IN_PUTCHAR,
4440 BUILT_IN_PUTCHAR_UNLOCKED, BUILT_IN_PUTS, BUILT_IN_PUTS_UNLOCKED,
4441 BUILT_IN_VFPRINTF, BUILT_IN_VPRINTF.
4442 * region-model.h (region_model::impl_call_memcpy): New decl.
4443 (region_model::impl_call_strcpy): New decl.
4444
80f86e78
GA		 44452020-09-09 David Malcolm <dmalcolm@redhat.com>
4446
4447 PR analyzer/94355
4448 * analyzer.opt (Wanalyzer-mismatching-deallocation): New warning.
4449 * region-model-impl-calls.cc
4450 (region_model::impl_call_operator_new): New.
4451 (region_model::impl_call_operator_delete): New.
4452 * region-model.cc (region_model::on_call_pre): Detect operator new
4453 and operator delete.
4454 (region_model::on_call_post): Likewise.
4455 (region_model::maybe_update_for_edge): Detect EH edges and call...
4456 (region_model::apply_constraints_for_exception): New function.
4457 * region-model.h (region_model::impl_call_operator_new): New decl.
4458 (region_model::impl_call_operator_delete): New decl.
4459 (region_model::apply_constraints_for_exception): New decl.
4460 * sm-malloc.cc (enum resource_state): New.
4461 (struct allocation_state): New state subclass.
4462 (enum wording): New.
4463 (struct api): New.
4464 (malloc_state_machine::custom_data_t): New typedef.
4465 (malloc_state_machine::add_state): New decl.
4466 (malloc_state_machine::m_unchecked)
4467 (malloc_state_machine::m_nonnull)
4468 (malloc_state_machine::m_freed): Delete these states in favor
4469 of...
4470 (malloc_state_machine::m_malloc)
4471 (malloc_state_machine::m_scalar_new)
4472 (malloc_state_machine::m_vector_new): ...this new api instances,
4473 which own their own versions of these states.
4474 (malloc_state_machine::on_allocator_call): New decl.
4475 (malloc_state_machine::on_deallocator_call): New decl.
4476 (api::api): New ctor.
4477 (dyn_cast_allocation_state): New.
4478 (as_a_allocation_state): New.
4479 (get_rs): New.
4480 (unchecked_p): New.
4481 (nonnull_p): New.
4482 (freed_p): New.
4483 (malloc_diagnostic::describe_state_change): Use unchecked_p and
4484 nonnull_p.
4485 (class mismatching_deallocation): New.
4486 (double_free::double_free): Add funcname param for initializing
4487 m_funcname.
4488 (double_free::emit): Use m_funcname in warning message rather
4489 than hardcoding "free".
4490 (double_free::describe_state_change): Likewise. Use freed_p.
4491 (double_free::describe_call_with_state): Use freed_p.
4492 (double_free::describe_final_event): Use m_funcname in message
4493 rather than hardcoding "free".
4494 (double_free::m_funcname): New field.
4495 (possible_null::describe_state_change): Use unchecked_p.
4496 (possible_null::describe_return_of_state): Likewise.
4497 (use_after_free::use_after_free): Add param for initializing m_api.
4498 (use_after_free::emit): Use m_api->m_dealloc_funcname in message
4499 rather than hardcoding "free".
4500 (use_after_free::describe_state_change): Use freed_p. Change the
4501 wording of the message based on the API.
4502 (use_after_free::describe_final_event): Use
4503 m_api->m_dealloc_funcname in message rather than hardcoding
4504 "free". Change the wording of the message based on the API.
4505 (use_after_free::m_api): New field.
4506 (malloc_leak::describe_state_change): Use unchecked_p. Update
4507 for renaming of m_malloc_event to m_alloc_event.
4508 (malloc_leak::describe_final_event): Update for renaming of
4509 m_malloc_event to m_alloc_event.
4510 (malloc_leak::m_malloc_event): Rename...
4511 (malloc_leak::m_alloc_event): ...to this.
4512 (free_of_non_heap::free_of_non_heap): Add param for initializing
4513 m_funcname.
4514 (free_of_non_heap::emit): Use m_funcname in message rather than
4515 hardcoding "free".
4516 (free_of_non_heap::describe_final_event): Likewise.
4517 (free_of_non_heap::m_funcname): New field.
4518 (allocation_state::dump_to_pp): New.
4519 (allocation_state::get_nonnull): New.
4520 (malloc_state_machine::malloc_state_machine): Update for changes
4521 to state fields and new api fields.
4522 (malloc_state_machine::add_state): New.
4523 (malloc_state_machine::on_stmt): Move malloc/calloc handling to
4524 on_allocator_call and call it, passing in the API pointer.
4525 Likewise for free, moving it to on_deallocator_call. Handle calls
4526 to operator new and delete in an analogous way. Use unchecked_p
4527 when testing for possibly-null-arg and possibly-null-deref, and
4528 transition to the non-null for the correct API. Remove redundant
4529 node param from call to on_zero_assignment. Use freed_p for
4530 use-after-free check, and pass in API.
4531 (malloc_state_machine::on_allocator_call): New, based on code in
4532 on_stmt.
4533 (malloc_state_machine::on_deallocator_call): Likewise.
4534 (malloc_state_machine::on_phi): Mark node param with
4535 ATTRIBUTE_UNUSED; don't pass it to on_zero_assignment.
4536 (malloc_state_machine::on_condition): Mark node param with
4537 ATTRIBUTE_UNUSED. Replace on_transition calls with get_state and
4538 set_next_state pairs, transitioning to the non-null state for the
4539 appropriate API.
4540 (malloc_state_machine::can_purge_p): Port to new state approach.
4541 (malloc_state_machine::on_zero_assignment): Replace on_transition
4542 calls with get_state and set_next_state pairs. Drop redundant
4543 node param.
4544 * sm.h (state_machine::add_custom_state): New.
4545
45462020-09-09 David Malcolm <dmalcolm@redhat.com>
4547
4548 * diagnostic-manager.cc
4549 (null_assignment_sm_context::warn_for_state): Replace with...
4550 (null_assignment_sm_context::warn): ...this.
4551 * engine.cc (impl_sm_context::warn_for_state): Replace with...
4552 (impl_sm_context::warn): ...this.
4553 * sm-file.cc (fileptr_state_machine::on_stmt): Replace
4554 warn_for_state and on_transition calls with a get_state
4555 test guarding warn and set_next_state calls.
4556 * sm-malloc.cc (malloc_state_machine::on_stmt): Likewise.
4557 * sm-pattern-test.cc (pattern_test_state_machine::on_condition):
4558 Replace warn_for_state call with warn call.
4559 * sm-sensitive.cc
4560 (sensitive_state_machine::warn_for_any_exposure): Replace
4561 warn_for_state call with a get_state test guarding a warn call.
4562 * sm-signal.cc (signal_state_machine::on_stmt): Likewise.
4563 * sm-taint.cc (taint_state_machine::on_stmt): Replace
4564 warn_for_state and on_transition calls with a get_state
4565 test guarding warn and set_next_state calls.
4566 * sm.h (sm_context::warn_for_state): Replace with...
4567 (sm_context::warn): ...this.
4568
45692020-09-09 David Malcolm <dmalcolm@redhat.com>
4570
4571 * diagnostic-manager.cc
4572 (null_assignment_sm_context::null_assignment_sm_context): Add old_state
4573 and ext_state params, initializing m_old_state and m_ext_state.
4574 (null_assignment_sm_context::on_transition): Split into...
4575 (null_assignment_sm_context::get_state): ...this new vfunc
4576 implementation and...
4577 (null_assignment_sm_context::set_next_state): ...this new vfunc
4578 implementation.
4579 (null_assignment_sm_context::m_old_state): New field.
4580 (null_assignment_sm_context::m_ext_state): New field.
4581 (diagnostic_manager::add_events_for_eedge): Pass in old state and
4582 ext_state when creating sm_ctxt.
4583 * engine.cc (impl_sm_context::on_transition): Split into...
4584 (impl_sm_context::get_state): ...this new vfunc
4585 implementation and...
4586 (impl_sm_context::set_next_state): ...this new vfunc
4587 implementation.
4588 * sm.h (sm_context::get_state): New pure virtual function.
4589 (sm_context::set_next_state): Likewise.
4590 (sm_context::on_transition): Convert from a pure virtual function
4591 to a regular function implemented in terms of get_state and
4592 set_next_state.
4593
45942020-09-09 David Malcolm <dmalcolm@redhat.com>
4595
4596 * checker-path.cc (state_change_event::get_desc): Update
4597 state_machine::get_state_name calls to state::get_name.
4598 (warning_event::get_desc): Likewise.
4599 * diagnostic-manager.cc
4600 (null_assignment_sm_context::on_transition): Update comparison
4601 against 0 with comparison with m_sm.get_start_state.
4602 (diagnostic_manager::prune_for_sm_diagnostic): Update
4603 state_machine::get_state_name calls to state::get_name.
4604 * engine.cc (impl_sm_context::on_transition): Likewise.
4605 (exploded_node::get_dot_fillcolor): Use get_id when summing
4606 the sm states.
4607 * program-state.cc (sm_state_map::sm_state_map): Don't hardcode
4608 0 as the start state when initializing m_global_state.
4609 (sm_state_map::print): Use dump_to_pp rather than get_state_name
4610 when dumping states.
4611 (sm_state_map::is_empty_p): Don't hardcode 0 as the start state
4612 when examining m_global_state.
4613 (sm_state_map::hash): Use get_id when hashing states.
4614 (selftest::test_sm_state_map): Use state objects rather than
4615 arbitrary hardcoded integers.
4616 (selftest::test_program_state_merging): Likewise.
4617 (selftest::test_program_state_merging_2): Likewise.
4618 * sm-file.cc (fileptr_state_machine::m_start): Move to base class.
4619 (file_diagnostic::describe_state_change): Use get_start_state.
4620 (fileptr_state_machine::fileptr_state_machine): Drop m_start
4621 initialization.
4622 * sm-malloc.cc (malloc_state_machine::m_start): Move to base
4623 class.
4624 (malloc_diagnostic::describe_state_change): Use get_start_state.
4625 (possible_null::describe_state_change): Likewise.
4626 (malloc_state_machine::malloc_state_machine): Drop m_start
4627 initialization.
4628 * sm-pattern-test.cc (pattern_test_state_machine::m_start): Move
4629 to base class.
4630 (pattern_test_state_machine::pattern_test_state_machine): Drop
4631 m_start initialization.
4632 * sm-sensitive.cc (sensitive_state_machine::m_start): Move to base
4633 class.
4634 (sensitive_state_machine::sensitive_state_machine): Drop m_start
4635 initialization.
4636 * sm-signal.cc (signal_state_machine::m_start): Move to base
4637 class.
4638 (signal_state_machine::signal_state_machine): Drop m_start
4639 initialization.
4640 * sm-taint.cc (taint_state_machine::m_start): Move to base class.
4641 (taint_state_machine::taint_state_machine): Drop m_start
4642 initialization.
4643 * sm.cc (state_machine::state::dump_to_pp): New.
4644 (state_machine::state_machine): Move here from sm.h. Initialize
4645 m_next_state_id and m_start.
4646 (state_machine::add_state): Reimplement in terms of state objects.
4647 (state_machine::get_state_name): Delete.
4648 (state_machine::get_state_by_name): Reimplement in terms of state
4649 objects. Make const.
4650 (state_machine::validate): Delete.
4651 (state_machine::dump_to_pp): Reimplement in terms of state
4652 objects.
4653 * sm.h (state_machine::state): New class.
4654 (state_machine::state_t): Convert typedef from "unsigned" to
4655 "const state_machine::state *".
4656 (state_machine::state_machine): Move to sm.cc.
4657 (state_machine::get_default_state): Use m_start rather than
4658 hardcoding 0.
4659 (state_machine::get_state_name): Delete.
4660 (state_machine::get_state_by_name): Make const.
4661 (state_machine::get_start_state): New accessor.
4662 (state_machine::alloc_state_id): New.
4663 (state_machine::m_state_names): Drop in favor of...
4664 (state_machine::m_states): New field
4665 (state_machine::m_start): New field
4666 (start_start_p): Delete.
4667
31a05046
GA		 46682020-09-08 David Malcolm <dmalcolm@redhat.com>
4669
4670 PR analyzer/96949
4671 * store.cc (binding_map::apply_ctor_val_to_range): Add
4672 error-handling for the cases where we have symbolic offsets.
4673
46742020-09-08 David Malcolm <dmalcolm@redhat.com>
4675
4676 PR analyzer/96950
4677 * store.cc (binding_map::apply_ctor_to_region): Handle RANGE_EXPR
4678 where min_index == max_index.
4679 (binding_map::apply_ctor_val_to_range): Replace assertion that we
4680 don't have a CONSTRUCTOR value with error-handling.
4681
46822020-09-08 David Malcolm <dmalcolm@redhat.com>
4683
4684 PR analyzer/96962
4685 * region-model.cc (region_model::on_call_pre): Fix guard on switch
4686 on built-ins to only consider BUILT_IN_NORMAL, rather than other
4687 kinds of build-ins.
4688
e1a4a8a0
GA		 46892020-09-01 David Malcolm <dmalcolm@redhat.com>
4690
4691 PR analyzer/96792
4692 * region-model.cc (region_model::deref_rvalue): Add the constraint
4693 that PTR_SVAL is non-NULL.
4694
13e4ba28
GA		 46952020-08-31 David Malcolm <dmalcolm@redhat.com>
4696
4697 PR analyzer/96798
4698 * region-model.cc (region_model::on_call_pre): Handle
4699 BUILT_IN_MEMSET_CHK.
4700
47012020-08-31 David Malcolm <dmalcolm@redhat.com>
4702
4703 * region-model.cc (region_model::on_call_pre): Gather handling of
4704 builtins and of internal fns into switch statements. Handle
4705 "alloca" and BUILT_IN_ALLOCA_WITH_ALIGN.
4706
47072020-08-31 David Malcolm <dmalcolm@redhat.com>
4708
4709 PR analyzer/96860
4710 * region.cc (decl_region::get_svalue_for_constructor): Support
4711 apply_ctor_to_region failing.
4712 * store.cc (binding_map::apply_ctor_to_region): Add failure
4713 handling.
4714 (binding_map::apply_ctor_val_to_range): Likewise.
4715 (binding_map::apply_ctor_pair_to_child_region): Likewise. Replace
4716 assertion that child_base_offset is not symbolic with error
4717 handling.
4718 * store.h (binding_map::apply_ctor_to_region): Convert return type
4719 from void to bool.
4720 (binding_map::apply_ctor_val_to_range): Likewise.
4721 (binding_map::apply_ctor_pair_to_child_region): Likewise.
4722
47232020-08-31 David Malcolm <dmalcolm@redhat.com>
4724
4725 PR analyzer/96763
4726 * store.cc (binding_map::apply_ctor_to_region): Handle RANGE_EXPR
4727 by calling a new binding_map::apply_ctor_val_to_range subroutine.
4728 Split out the existing non-CONSTRUCTOR-handling code to a new
4729 apply_ctor_pair_to_child_region subroutine.
4730 (binding_map::apply_ctor_val_to_range): New.
4731 (binding_map::apply_ctor_pair_to_child_region): New, split out
4732 from binding_map::apply_ctor_to_region as noted above.
4733 * store.h (binding_map::apply_ctor_val_to_range): New decl.
4734 (binding_map::apply_ctor_pair_to_child_region): New decl.
4735
47362020-08-31 David Malcolm <dmalcolm@redhat.com>
4737
4738 PR analyzer/96764
4739 * region-model-manager.cc
4740 (region_model_manager::maybe_fold_unaryop): Handle VIEW_CONVERT_EXPR.
4741 (region_model_manager::get_or_create_cast): Move logic for
4742 real->integer casting to...
4743 (get_code_for_cast): ...this new function, and add logic for
4744 real->non-integer casts.
4745 (region_model_manager::maybe_fold_sub_svalue): Handle
4746 VIEW_CONVERT_EXPR.
4747 * region-model.cc
4748 (region_model::add_any_constraints_from_gassign): Likewise.
4749 * svalue.cc (svalue::maybe_undo_cast): Likewise.
4750 (unaryop_svalue::dump_to_pp): Likewise.
4751
57ea0894
GA		 47522020-08-26 David Malcolm <dmalcolm@redhat.com>
4753
4754 PR analyzer/94858
4755 * region-model-manager.cc
4756 (region_model_manager::get_or_create_widening_svalue): Assert that
4757 neither of the inputs are themselves widenings.
4758 * store.cc (store::eval_alias_1): The initial value of a pointer
4759 can't point to a region that was allocated on the heap after the
4760 beginning of the path. A widened pointer value can't alias anything
4761 that the initial pointer value can't alias.
4762 * svalue.cc (svalue::can_merge_p): Merge BINOP (X, OP, CST) with X
4763 to a widening svalue. Merge
4764 BINOP(WIDENING(BASE, BINOP(BASE, X)), X) and BINOP(BASE, X) to
4765 to the LHS of the first BINOP.
4766
47672020-08-26 David Malcolm <dmalcolm@redhat.com>
4768
4769 PR analyzer/96777
4770 * region-model.h (class compound_svalue): Document that all keys
4771 must be concrete.
4772 (compound_svalue::compound_svalue): Move definition to svalue.cc.
4773 * store.cc (binding_map::apply_ctor_to_region): Handle
4774 initializers for trailing arrays with incomplete size.
4775 * svalue.cc (compound_svalue::compound_svalue): Move definition
4776 here from region-model.h. Add assertion that all keys are
4777 concrete.
4778
e769f970
GA		 47792020-08-22 David Malcolm <dmalcolm@redhat.com>
4780
4781 PR analyzer/94851
4782 * region-model-manager.cc
4783 (region_model_manager::maybe_fold_binop): Fold bitwise "& 0" to 0.
4784
47852020-08-22 David Malcolm <dmalcolm@redhat.com>
4786
4787 * store.cc (store::eval_alias): Make const. Split out 2nd half
4788 into store::eval_alias_1 and call it twice for symmetry, avoiding
4789 test duplication.
4790 (store::eval_alias_1): New function, split out from the above.
4791 * store.h (store::eval_alias): Make const.
4792 (store::eval_alias_1): New decl.
4793
47942020-08-22 David Malcolm <dmalcolm@redhat.com>
4795
4796 * region-model.cc (region_model::push_frame): Bind the default
4797 SSA name for each parm if it exists, falling back to the parm
4798 itself otherwise, rather than doing both.
4799
5b9a3d2a
GA		 48002020-08-20 David Malcolm <dmalcolm@redhat.com>
4801
4802 PR analyzer/96723
4803 * region-model-manager.cc
4804 (region_model_manager::get_field_region): Assert that field is a
4805 FIELD_DECL.
4806 * region.cc (region::get_subregions_for_binding): In
4807 union-handling, filter the TYPE_FIELDS traversal to just FIELD_DECLs.
4808
48092020-08-20 David Malcolm <dmalcolm@redhat.com>
4810
4811 PR analyzer/96713
4812 * region-model.cc (region_model::get_gassign_result): For
4813 comparisons, only use eval_condition when the lhs has boolean
4814 type, and use get_or_create_constant_svalue on the boolean
4815 constants directly rather than via get_rvalue.
4816
04e23a40
GA		 48172020-08-19 David Malcolm <dmalcolm@redhat.com>
4818
4819 PR analyzer/96643
4820 * region-model.cc (region_model::deref_rvalue): Rather than
4821 attempting to handle all svalue kinds in the switch, only cover
4822 the special cases, and move symbolic-region handling to after
4823 the switch, thus implicitly handling the missing case SK_COMPOUND.
4824
48252020-08-19 David Malcolm <dmalcolm@redhat.com>
4826
4827 PR analyzer/96705
4828 * region-model-manager.cc
4829 (region_model_manager::maybe_fold_binop): Check that we have an
4830 integral type before calling build_int_cst.
4831
48322020-08-19 David Malcolm <dmalcolm@redhat.com>
4833
4834 PR analyzer/96699
4835 * region-model-manager.cc
4836 (region_model_manager::get_or_create_cast): Use FIX_TRUNC_EXPR for
4837 casting from REAL_TYPE to INTEGER_TYPE.
4838
48392020-08-19 David Malcolm <dmalcolm@redhat.com>
4840
4841 PR analyzer/96651
4842 * region-model.cc (region_model::called_from_main_p): New.
4843 (region_model::get_store_value): Move handling for globals into...
4844 (region_model::get_initial_value_for_global): ...this new
4845 function, and add logic for extracting values from decl
4846 initializers.
4847 * region-model.h (decl_region::get_svalue_for_constructor): New
4848 decl.
4849 (decl_region::get_svalue_for_initializer): New decl.
4850 (region_model::called_from_main_p): New decl.
4851 (region_model::get_initial_value_for_global): New.
4852 * region.cc (decl_region::maybe_get_constant_value): Move logic
4853 for getting an svalue from a CONSTRUCTOR node to...
4854 (decl_region::get_svalue_for_constructor): ...this new function.
4855 (decl_region::get_svalue_for_initializer): New.
4856 * store.cc (get_svalue_for_ctor_val): Rewrite in terms of
4857 region_model::get_rvalue.
4858 * store.h (binding_cluster::get_map): New accessor.
4859
48602020-08-19 David Malcolm <dmalcolm@redhat.com>
4861
4862 PR analyzer/96648
4863 * region.cc (get_field_at_bit_offset): Gracefully handle negative
4864 values for bit_offset.
4865
5c265693
GA		 48662020-08-18 David Malcolm <dmalcolm@redhat.com>
4867
4868 * region-model.cc (region_model::get_rvalue_1): Fix name of local.
4869
48702020-08-18 David Malcolm <dmalcolm@redhat.com>
4871
4872 PR analyzer/96641
4873 * region-model.cc (region_model::get_rvalue_1): Handle
4874 unrecognized tree codes by returning "UNKNOWN.
4875
48762020-08-18 David Malcolm <dmalcolm@redhat.com>
4877
4878 PR analyzer/96640
4879 * region-model.cc (region_model::get_gassign_result): Handle various
4880 VEC_* tree codes by returning UNKNOWN.
4881 (region_model::on_assignment): Handle unrecognized tree codes by
4882 setting lhs to an unknown value, rather than issuing a "sorry" and
4883 asserting.
4884
deee2322
GA		 48852020-08-17 David Malcolm <dmalcolm@redhat.com>
4886
4887 PR analyzer/96644
4888 * region-model-manager.cc (get_region_for_unexpected_tree_code):
4889 Handle ctxt being NULL.
4890
48912020-08-17 David Malcolm <dmalcolm@redhat.com>
4892
4893 PR analyzer/96639
4894 * region.cc (region::get_subregions_for_binding): Check for "type"
4895 being NULL.
4896
48972020-08-17 David Malcolm <dmalcolm@redhat.com>
4898
4899 PR analyzer/96642
4900 * store.cc (get_svalue_for_ctor_val): New.
4901 (binding_map::apply_ctor_to_region): Call it.
4902
661ee09b
GA		 49032020-08-14 David Malcolm <dmalcolm@redhat.com>
4904
4905 PR testsuite/96609
4906 PR analyzer/96616
4907 * region-model.cc (region_model::get_store_value): Call
4908 maybe_get_constant_value on decl_regions first.
4909 * region-model.h (decl_region::maybe_get_constant_value): New decl.
4910 * region.cc (decl_region::get_stack_depth): Likewise.
4911 (decl_region::maybe_get_constant_value): New.
4912 * store.cc (get_subregion_within_ctor): New.
4913 (binding_map::apply_ctor_to_region): New.
4914 * store.h (binding_map::apply_ctor_to_region): New decl.
4915
49162020-08-14 David Malcolm <dmalcolm@redhat.com>
4917
4918 PR analyzer/96611
4919 * store.cc (store::mark_as_escaped): Reject attempts to
4920 get a cluster for an unknown pointer.
4921
b3cb5606
GA		 49222020-08-13 David Malcolm <dmalcolm@redhat.com>
4923
5afd1882
ML		 4924 PR analyzer/93032
4925 PR analyzer/93938
4926 PR analyzer/94011
4927 PR analyzer/94099
4928 PR analyzer/94399
4929 PR analyzer/94458
4930 PR analyzer/94503
4931 PR analyzer/94640
4932 PR analyzer/94688
4933 PR analyzer/94689
4934 PR analyzer/94839
4935 PR analyzer/95026
4936 PR analyzer/95042
4937 PR analyzer/95240
b3cb5606
GA		 4938 * analyzer-logging.cc: Ignore "-Wformat-diag".
4939 (logger::enter_scope): Use inc_indent in both overloads.
4940 (logger::exit_scope): Use dec_indent.
4941 * analyzer-logging.h (logger::inc_indent): New.
4942 (logger::dec_indent): New.
4943 * analyzer-selftests.cc (run_analyzer_selftests): Call
4944 analyzer_store_cc_tests.
4945 * analyzer-selftests.h (analyzer_store_cc_tests): New decl.
4946 * analyzer.cc (get_stmt_location): New function.
4947 * analyzer.h (class initial_svalue): New forward decl.
4948 (class unaryop_svalue): New forward decl.
4949 (class binop_svalue): New forward decl.
4950 (class sub_svalue): New forward decl.
4951 (class unmergeable_svalue): New forward decl.
4952 (class placeholder_svalue): New forward decl.
4953 (class widening_svalue): New forward decl.
4954 (class compound_svalue): New forward decl.
4955 (class conjured_svalue): New forward decl.
4956 (svalue_set): New typedef.
4957 (class map_region): Delete.
4958 (class array_region): Delete.
4959 (class frame_region): New forward decl.
4960 (class function_region): New forward decl.
4961 (class label_region): New forward decl.
4962 (class decl_region): New forward decl.
4963 (class element_region): New forward decl.
4964 (class offset_region): New forward decl.
4965 (class cast_region): New forward decl.
4966 (class field_region): New forward decl.
4967 (class string_region): New forward decl.
4968 (class region_model_manager): New forward decl.
4969 (class store_manager): New forward decl.
4970 (class store): New forward decl.
4971 (class call_details): New forward decl.
4972 (struct svalue_id_merger_mapping): Delete.
4973 (struct canonicalization): Delete.
4974 (class function_point): New forward decl.
4975 (class engine): New forward decl.
4976 (dump_tree): New function decl.
4977 (print_quoted_type): New function decl.
4978 (readability_comparator): New function decl.
4979 (tree_cmp): New function decl.
4980 (class path_var): Move here from region-model.h
4981 (bit_offset_t, bit_size_t, byte_size_t): New typedefs.
4982 (class region_offset): New class.
4983 (get_stmt_location): New decl.
4984 (struct member_function_hash_traits): New struct.
4985 (class consolidation_map): New class.
4986 Ignore "-Wformat-diag".
4987 * analyzer.opt (-param=analyzer-max-svalue-depth=): New param.
4988 (-param=analyzer-max-enodes-for-full-dump=): New param.
4989 * call-string.cc: Ignore -Wformat-diag.
4990 * checker-path.cc: Move includes of "analyzer/call-string.h" and
4991 "analyzer/program-point.h" to before "analyzer/region-model.h",
4992 and also include "analyzer/store.h" before it.
4993 (state_change_event::state_change_event): Replace "tree var" param
4994 with "const svalue *sval". Convert "origin" param from tree to
4995 "const svalue *".
4996 (state_change_event::get_desc): Call get_representative_tree to
4997 convert the var and origin from const svalue * to tree. Use
4998 svalue::get_desc rather than %qE when describing state changes.
4999 (checker_path::add_final_event): Use get_stmt_location.
5000 * checker-path.h (state_change_event::state_change_event): Port
5001 from tree to const svalue *.
5002 (state_change_event::get_lvalue): Delete.
5003 (state_change_event::get_dest_function): New.
5004 (state_change_event::m_var): Replace with...
5005 (state_change_event::m_sval): ...this.
5006 (state_change_event::m_origin): Convert from tree to
5007 const svalue *.
5008 * constraint-manager.cc: Include "analyzer/call-string.h",
5009 "analyzer/program-point.h", and "analyzer/store.h" before
5010 "analyzer/region-model.h".
5011 (struct bound, struct range): Move to constraint-manager.h.
5012 (compare_constants): New function.
5013 (range::dump): Rename to...
5014 (range::dump_to_pp): ...this. Support NULL constants.
5015 (range::dump): Reintroduce for dumping to stderr.
5016 (range::constrained_to_single_element): Return result, rather than
5017 writing to *OUT.
5018 (range::eval_condition): New.
5019 (range::below_lower_bound): New.
5020 (range::above_upper_bound): New.
5021 (equiv_class::equiv_class): Port from svalue_id to const svalue *.
5022 (equiv_class::print): Likewise.
5023 (equiv_class::hash): Likewise.
5024 (equiv_class::operator==): Port from svalue_id to const svalue *.
5025 (equiv_class::add): Port from svalue_id to const svalue *. Drop
5026 "cm" param.
5027 (equiv_class::del): Port from svalue_id to const svalue *.
5028 (equiv_class::get_representative): Likewise.
5029 (equiv_class::remap_svalue_ids): Delete.
5030 (svalue_id_cmp_by_id): Rename to...
5031 (svalue_cmp_by_ptr): ...this, porting from svalue_id to
5032 const svalue *.
5033 (equiv_class::canonicalize): Update qsort comparator.
5034 (constraint::implied_by): New.
5035 (constraint_manager::constraint_manager): Copy m_mgr in copy ctor.
5036 (constraint_manager::dump_to_pp): Add "multiline" param
5037 (constraint_manager::dump): Pass "true" for "multiline".
5038 (constraint_manager::add_constraint): Port from svalue_id to
5039 const svalue *. Split out second part into...
5040 (constraint_manager::add_unknown_constraint): ...this new
5041 function. Remove self-constraints when merging equivalence
5042 classes.
5043 (constraint_manager::add_constraint_internal): Remove constraints
5044 that would be implied by the new constraint. Port from svalue_id
5045 to const svalue *.
5046 (constraint_manager::get_equiv_class_by_sid): Rename to...
5047 (constraint_manager::get_equiv_class_by_svalue): ...this, porting
5048 from svalue_id to const svalue *.
5049 (constraint_manager::get_or_add_equiv_class): Port from svalue_id
5050 to const svalue *.
5051 (constraint_manager::eval_condition): Make const. Call
5052 compare_constants and return early if it provides a known result.
5053 (constraint_manager::get_ec_bounds): New.
5054 (constraint_manager::eval_condition): New overloads. Make
5055 existing one const, and use compare_constants.
5056 (constraint_manager::purge): Convert "p" param to a template
5057 rather that an abstract base class. Port from svalue_id to
5058 const svalue *.
5059 (class dead_svalue_purger): New class.
5060 (constraint_manager::remap_svalue_ids): Delete.
5061 (constraint_manager::on_liveness_change): New.
5062 (equiv_class_cmp): Port from svalue_id to const svalue *.
5063 (constraint_manager::canonicalize): Likewise. Combine with
5064 purging of redundant equivalence classes and constraints.
5065 (class cleaned_constraint_manager): Delete.
5066 (class merger_fact_visitor): Make "m_cm_b" const. Add "m_merger"
5067 field.
5068 (merger_fact_visitor::fact): Port from svalue_id to const svalue *.
5069 Add special case for widening.
5070 (constraint_manager::merge): Port from svalue_id to const svalue *.
5071 (constraint_manager::clean_merger_input): Delete.
5072 (constraint_manager::for_each_fact): Port from svalue_id to
5073 const svalue *.
5074 (constraint_manager::validate): Likewise.
5075 (selftest::test_constraint_conditions): Provide a
5076 region_model_manager when creating region_model instances.
5077 Add test for self-equality not creating equivalence classes.
5078 (selftest::test_transitivity): Provide a region_model_manager when
5079 creating region_model instances. Verify that EC-merging happens
5080 when constraints are implied.
5081 (selftest::test_constant_comparisons): Provide a
5082 region_model_manager when creating region_model instances.
5083 (selftest::test_constraint_impl): Likewise. Remove over-specified
5084 assertions.
5085 (selftest::test_equality): Provide a region_model_manager when
5086 creating region_model instances.
5087 (selftest::test_many_constants): Likewise. Provide a
5088 program_point when testing merging.
5089 (selftest::run_constraint_manager_tests): Move call to
5090 test_constant_comparisons to outside the transitivity guard.
5091 * constraint-manager.h (struct bound): Move here from
5092 constraint-manager.cc.
5093 (struct range): Likewise.
5094 (struct::eval_condition): New decl.
5095 (struct::below_lower_bound): New decl.
5096 (struct::above_upper_bound): New decl.
5097 (equiv_class::add): Port from svalue_id to const svalue *.
5098 (equiv_class::del): Likewise.
5099 (equiv_class::get_representative): Likewise.
5100 (equiv_class::remap_svalue_ids): Drop.
5101 (equiv_class::m_cst_sid): Convert to..
5102 (equiv_class::m_cst_sval): ...this.
5103 (equiv_class::m_vars): Port from svalue_id to const svalue *.
5104 (constraint::bool implied_by): New decl.
5105 (fact_visitor::on_fact): Port from svalue_id to const svalue *.
5106 (constraint_manager::constraint_manager): Add mgr param.
5107 (constraint_manager::clone): Delete.
5108 (constraint_manager::maybe_get_constant): Delete.
5109 (constraint_manager::get_sid_for_constant): Delete.
5110 (constraint_manager::get_num_svalues): Delete.
5111 (constraint_manager::dump_to_pp): Add "multiline" param.
5112 (constraint_manager::get_equiv_class): Port from svalue_id to
5113 const svalue *.
5114 (constraint_manager::add_constraint): Likewise.
5115 (constraint_manager::get_equiv_class_by_sid): Rename to...
5116 (constraint_manager::get_equiv_class_by_svalue): ...this, porting
5117 from svalue_id to const svalue *.
5118 (constraint_manager::add_unknown_constraint): New decl.
5119 (constraint_manager::get_or_add_equiv_class): Port from svalue_id
5120 to const svalue *.
5121 (constraint_manager::eval_condition): Likewise. Add overloads.
5122 (constraint_manager::get_ec_bounds): New decl.
5123 (constraint_manager::purge): Convert to template.
5124 (constraint_manager::remap_svalue_ids): Delete.
5125 (constraint_manager::on_liveness_change): New decl.
5126 (constraint_manager::canonicalize): Drop param.
5127 (constraint_manager::clean_merger_input): Delete.
5128 (constraint_manager::m_mgr): New field.
5129 * diagnostic-manager.cc: Move includes of
5130 "analyzer/call-string.h" and "analyzer/program-point.h" to before
5131 "analyzer/region-model.h", and also include "analyzer/store.h"
5132 before it.
5133 (saved_diagnostic::saved_diagnostic): Add "sval" param.
5134 (diagnostic_manager::diagnostic_manager): Add engine param.
5135 (diagnostic_manager::add_diagnostic): Add "sval" param, passing it
5136 to saved_diagnostic ctor. Update overload to pass NULL for it.
5137 (dedupe_winners::dedupe_winners): Add engine param.
5138 (dedupe_winners::add): Add "eg" param. Pass m_engine to
5139 feasible_p.
5140 (dedupe_winner::m_engine): New field.
5141 (diagnostic_manager::emit_saved_diagnostics): Pass engine to
5142 dedupe_winners. Pass &eg when adding candidates. Pass svalue
5143 rather than tree to prune_path. Use get_stmt_location to get
5144 primary location of diagnostic.
5145 (diagnostic_manager::emit_saved_diagnostic): Likewise.
5146 (get_any_origin): Drop.
5147 (state_change_event_creator::on_global_state_change): Pass NULL
5148 const svalue * rather than NULL_TREE trees to state_change_event
5149 ctor.
5150 (state_change_event_creator::on_state_change): Port from tree and
5151 svalue_id to const svalue *.
5152 (for_each_state_change): Port from svalue_id to const svalue *.
5153 (struct null_assignment_sm_context): New.
5154 (diagnostic_manager::add_events_for_eedge): Add state change
5155 events for assignment to NULL.
5156 (diagnostic_manager::prune_path): Update param from tree to
5157 const svalue *.
5158 (diagnostic_manager::prune_for_sm_diagnostic): Port from tracking
5159 by tree to by const svalue *.
5160 * diagnostic-manager.h (saved_diagnostic::saved_diagnostic): Add sval
5161 param.
5162 (saved_diagnostic::m_sval): New field.
5163 (diagnostic_manager::diagnostic_manager): Add engine param.
5164 (diagnostic_manager::get_engine): New.
5165 (diagnostic_manager::add_diagnostic): Add "sval" param.
5166 (diagnostic_manager::prune_path): Likewise.
5167 (diagnostic_manager::prune_for_sm_diagnostic): New overload.
5168 (diagnostic_manager::m_eng): New field.
5169 * engine.cc: Move includes of "analyzer/call-string.h" and
5170 "analyzer/program-point.h" to before "analyzer/region-model.h",
5171 and also include "analyzer/store.h" before it.
5172 (impl_region_model_context::impl_region_model_context): Update for
5173 removal of m_change field.
5174 (impl_region_model_context::remap_svalue_ids): Delete.
5175 (impl_region_model_context::on_svalue_leak): New.
5176 (impl_region_model_context::on_svalue_purge): Delete.
5177 (impl_region_model_context::on_liveness_change): New.
5178 (impl_region_model_context::on_unknown_change): Update param
5179 from svalue_id to const svalue *. Add is_mutable param.
5180 (setjmp_svalue::compare_fields): Delete.
5181 (setjmp_svalue::accept): New.
5182 (setjmp_svalue::add_to_hash): Delete.
5183 (setjmp_svalue::dump_to_pp): New.
5184 (setjmp_svalue::print_details): Delete.
5185 (impl_sm_context::impl_sm_context): Drop "change" param.
5186 (impl_sm_context::get_fndecl_for_call): Drop "m_change".
5187 (impl_sm_context::on_transition): Drop ATTRIBUTE_UNUSED from
5188 "stmt" param. Drop m_change. Port from svalue_id to
5189 const svalue *.
5190 (impl_sm_context::warn_for_state): Drop m_change. Port from
5191 svalue_id to const svalue *.
5192 (impl_sm_context::get_readable_tree): Rename to...
5193 (impl_sm_context::get_diagnostic_tree): ...this. Port from
5194 svalue_id to const svalue *.
5195 (impl_sm_context::is_zero_assignment): New.
5196 (impl_sm_context::m_change): Delete field.
5197 (leak_stmt_finder::find_stmt): Handle m_var being NULL.
5198 (readability): Increase penalty for MEM_REF. For SSA_NAMEs,
5199 slightly favor the underlying var over the SSA name. Heavily
5200 penalize temporaries. Handle RESULT_DECL.
5201 (readability_comparator): Make non-static. Consider stack depths.
5202 (impl_region_model_context::on_state_leak): Convert from svalue_id
5203 to const svalue *, updating for region_model changes. Use
5204 id_equal.
5205 (impl_region_model_context::on_inherited_svalue): Delete.
5206 (impl_region_model_context::on_cast): Delete.
5207 (impl_region_model_context::on_condition): Drop m_change.
5208 (impl_region_model_context::on_phi): Likewise.
5209 (impl_region_model_context::on_unexpected_tree_code): Handle t
5210 being NULL.
5211 (point_and_state::validate): Update stack checking for
5212 region_model changes.
5213 (eg_traits::dump_args_t::show_enode_details_p): New.
5214 (exploded_node::exploded_node): Initialize m_num_processed_stmts.
5215 (exploded_node::get_processed_stmt): New function.
5216 (exploded_node::get_dot_fillcolor): Add more colors.
5217 (exploded_node::dump_dot): Guard the printing of the point and
5218 state with show_enode_details_p. Print the processed stmts for
5219 this enode after the initial state.
5220 (exploded_node::dump_to_pp): Pass true for new multiline param
5221 of program_state::dump_to_pp.
5222 (exploded_node::on_stmt): Drop "change" param. Log the stmt.
5223 Set input_location. Implement __analyzer_describe. Update
5224 implementation of __analyzer_dump and __analyzer_eval.
5225 Remove purging of sm-state for unknown fncalls from here.
5226 (exploded_node::on_edge): Drop "change" param.
5227 (exploded_node::on_longjmp): Port from region_id/svalue_id to
5228 const region */const svalue *. Call program_state::detect_leaks.
5229 Drop state_change.
5230 (exploded_node::detect_leaks): Update for changes to region_model.
5231 Call program_state::detect_leaks.
5232 (exploded_edge::exploded_edge): Drop ext_state and change params.
5233 (exploded_edge::dump_dot): "args" is no longer used. Drop dumping
5234 of m_change.
5235 (exploded_graph::exploded_graph): Pass engine to
5236 m_diagnostic_manager ctor. Use program_point::origin.
5237 (exploded_graph::add_function_entry): Drop ctxt. Use
5238 program_state::push_frame. Drop state_change.
5239 (exploded_graph::get_or_create_node): Drop "change" param. Add
5240 "enode_for_diag" param. Update dumping calls for API changes.
5241 Pass point to can_merge_with_p. Show enode indices
5242 within -Wanalyzer-too-complex diagnostic for hitting the per-point
5243 limit.
5244 (exploded_graph::add_edge): Drop "change" param. Log which nodes
5245 are being connected. Update for changes to exploded_edge ctor.
5246 (exploded_graph::get_per_program_point_data): New.
5247 (exploded_graph::process_worklist): Pass point to
5248 can_merge_with_p. Drop state_change. Update dumping call for API
5249 change.
5250 (exploded_graph::process_node): Drop state_change. Split the
5251 node in-place if an sm-state-change occurs. Update
5252 m_num_processed_stmts. Update dumping calls for API change.
5253 (exploded_graph::log_stats): Call engine::log_stats.
5254 (exploded_graph::dump_states_for_supernode): Update dumping
5255 call.
5256 (exploded_path::feasible_p): Add "eng" and "eg" params.
5257 Rename "i" to "end_idx". Pass the manager to the region_model
5258 ctor. Update for every processed stmt in the enode, not just the
5259 first. Keep track of which snodes have been visited, and call
5260 loop_replay_fixup when revisiting one.
5261 (enode_label::get_text): Update dump call for new param.
5262 (exploded_graph::dump_exploded_nodes): Likewise.
5263 (exploded_graph::get_node_by_index): New.
5264 (impl_run_checkers): Create engine instance and pass its address
5265 to extrinsic_state ctor.
5266 * exploded-graph.h
5267 (impl_region_model_context::impl_region_model_context): Drop
5268 "change" params.
5269 (impl_region_model_context::void remap_svalue_ids): Delete.
5270 (impl_region_model_context::on_svalue_purge): Delete.
5271 (impl_region_model_context::on_svalue_leak): New.
5272 (impl_region_model_context::on_liveness_change): New.
5273 (impl_region_model_context::on_state_leak): Update signature.
5274 (impl_region_model_context::on_inherited_svalue): Delete.
5275 (impl_region_model_context::on_cast): Delete.
5276 (impl_region_model_context::on_unknown_change): Update signature.
5277 (impl_region_model_context::m_change): Delete.
5278 (eg_traits::dump_args_t::show_enode_details_p): New.
5279 (exploded_node::on_stmt): Drop "change" param.
5280 (exploded_node::on_edge): Likewise.
5281 (exploded_node::get_processed_stmt): New decl.
5282 (exploded_node::m_num_processed_stmts): New field.
5283 (exploded_edge::exploded_edge): Drop ext_state and change params.
5284 (exploded_edge::m_change): Delete.
5285 (exploded_graph::get_engine): New accessor.
5286 (exploded_graph::get_or_create_node): Drop "change" param. Add
5287 "enode_for_diag" param.
5288 (exploded_graph::add_edge): Drop "change" param.
5289 (exploded_graph::get_per_program_point_data): New decl.
5290 (exploded_graph::get_node_by_index): New decl.
5291 (exploded_path::feasible_p): Add "eng" and "eg" params.
5292 * program-point.cc: Include "analyzer/store.h" before including
5293 "analyzer/region-model.h".
5294 (function_point::function_point): Move here from
5295 program-point.h.
5296 (function_point::get_function): Likewise.
5297 (function_point::from_function_entry): Likewise.
5298 (function_point::before_supernode): Likewise.
5299 (function_point::next_stmt): New function.
5300 * program-point.h (function_point::function_point): Move
5301 implementation from here to program-point.cc.
5302 (function_point::get_function): Likewise.
5303 (function_point::from_function_entry): Likewise.
5304 (function_point::before_supernode): Likewise.
5305 (function_point::next_stmt): New decl.
5306 (program_point::operator!=): New.
5307 (program_point::origin): New.
5308 (program_point::next_stmt): New.
5309 (program_point::m_function_point): Make non-const.
5310 * program-state.cc: Move includes of "analyzer/call-string.h" and
5311 "analyzer/program-point.h" to before "analyzer/region-model.h",
5312 and also include "analyzer/store.h" before it.
5313 (extrinsic_state::get_model_manager): New.
5314 (sm_state_map::sm_state_map): Pass in sm and sm_idx to ctor,
5315 rather than pass the around.
5316 (sm_state_map::clone_with_remapping): Delete.
5317 (sm_state_map::print): Remove "sm" param in favor of "m_sm". Add
5318 "simple" and "multiline" params and support multiline vs single
5319 line dumping.
5320 (sm_state_map::dump): Remove "sm" param in favor of "m_sm". Add
5321 "simple" param.
5322 (sm_state_map::hash): Port from svalue_id to const svalue *.
5323 (sm_state_map::operator==): Likewise.
5324 (sm_state_map::get_state): Likewise. Call canonicalize_svalue on
5325 input. Handle inheritance of sm-state. Call get_default_state.
5326 (sm_state_map::get_origin): Port from svalue_id to const svalue *.
5327 (sm_state_map::set_state): Likewise. Pass in ext_state. Reject
5328 attempts to set state on UNKNOWN.
5329 (sm_state_map::impl_set_state): Port from svalue_id to
5330 const svalue *. Pass in ext_state. Call canonicalize_svalue on
5331 input.
5332 (sm_state_map::purge_for_unknown_fncall): Delete.
5333 (sm_state_map::on_svalue_leak): New.
5334 (sm_state_map::remap_svalue_ids): Delete.
5335 (sm_state_map::on_liveness_change): New.
5336 (sm_state_map::on_unknown_change): Reimplement.
5337 (sm_state_map::on_svalue_purge): Delete.
5338 (sm_state_map::on_inherited_svalue): Delete.
5339 (sm_state_map::on_cast): Delete.
5340 (sm_state_map::validate): Delete.
5341 (sm_state_map::canonicalize_svalue): New.
5342 (program_state::program_state): Update to pass manager to
5343 region_model's ctor. Constify num_states and pass state machine
5344 and index to sm_state_map ctor.
5345 (program_state::print): Update for changes to dump API.
5346 (program_state::dump_to_pp): Ignore the summarize param. Add
5347 "multiline" param.
5348 (program_state::dump_to_file): Add "multiline" param.
5349 (program_state::dump): Pass "true" for new "multiline" param.
5350 (program_state::push_frame): New.
5351 (program_state::on_edge): Drop "change" param. Call
5352 program_state::detect_leaks.
5353 (program_state::prune_for_point): Add enode_for_diag param.
5354 Reimplement based on store class. Call detect_leaks
5355 (program_state::remap_svalue_ids): Delete.
5356 (program_state::get_representative_tree): Port from svalue_id to
5357 const svalue *.
5358 (program_state::can_merge_with_p): Add "point" param. Add early
5359 reject for sm-differences. Drop id remapping.
5360 (program_state::validate): Drop region model and sm_state_map
5361 validation.
5362 (state_change::sm_change::dump): Delete.
5363 (state_change::sm_change::remap_svalue_ids): Delete.
5364 (state_change::sm_change::on_svalue_purge): Delete.
5365 (log_set_of_svalues): New.
5366 (state_change::sm_change::validate): Delete.
5367 (state_change::state_change): Delete.
5368 (state_change::add_sm_change): Delete.
5369 (state_change::affects_p): Delete.
5370 (state_change::dump): Delete.
5371 (state_change::remap_svalue_ids): Delete.
5372 (state_change::on_svalue_purge): Delete.
5373 (state_change::validate): Delete.
5374 (selftest::assert_dump_eq): Delete.
5375 (ASSERT_DUMP_EQ): Delete.
5376 (selftest::test_sm_state_map): Update for changes to region_model
5377 and sm_state_map, porting from svalue_id to const svalue *.
5378 (selftest::test_program_state_dumping): Likewise. Drop test of
5379 dumping, renaming to...
5380 (selftest::test_program_state_1): ...this.
5381 (selftest::test_program_state_dumping_2): Likewise, renaming to...
5382 (selftest::test_program_state_2): ...this.
5383 (selftest::test_program_state_merging): Update for changes to
5384 region_model.
5385 (selftest::test_program_state_merging_2): Likewise.
5386 (selftest::analyzer_program_state_cc_tests): Update for renamed
5387 tests.
5388 * program-state.h (extrinsic_state::extrinsic_state): Add logger
5389 and engine params.
5390 (extrinsic_state::get_logger): New accessor.
5391 (extrinsic_state::get_engine): New accessor.
5392 (extrinsic_state::get_model_manager): New accessor.
5393 (extrinsic_state::m_logger): New field.
5394 (extrinsic_state::m_engine): New field.
5395 (struct default_hash_traits<svalue_id>): Delete.
5396 (pod_hash_traits<svalue_id>::hash): Delete.
5397 (pod_hash_traits<svalue_id>::equal): Delete.
5398 (pod_hash_traits<svalue_id>::mark_deleted): Delete.
5399 (pod_hash_traits<svalue_id>::mark_empty): Delete.
5400 (pod_hash_traits<svalue_id>::is_deleted): Delete.
5401 (pod_hash_traits<svalue_id>::is_empty): Delete.
5402 (sm_state_map::entry_t::entry_t): Port from svalue_id to
5403 const svalue *.
5404 (sm_state_map::entry_t::m_origin): Likewise.
5405 (sm_state_map::map_t): Likewise.
5406 (sm_state_map::sm_state_map): Add state_machine and index params.
5407 (sm_state_map::clone_with_remapping): Delete.
5408 (sm_state_map::print): Drop sm param; add simple and multiline
5409 params.
5410 (sm_state_map::dump): Drop sm param; add simple param.
5411 (sm_state_map::get_state): Port from svalue_id to const svalue *.
5412 Add ext_state param.
5413 (sm_state_map::get_origin): Likewise.
5414 (sm_state_map::set_state): Likewise.
5415 (sm_state_map::impl_set_state): Likewise.
5416 (sm_state_map::purge_for_unknown_fncall): Delete.
5417 (sm_state_map::remap_svalue_ids): Delete.
5418 (sm_state_map::on_svalue_purge): Delete.
5419 (sm_state_map::on_svalue_leak): New.
5420 (sm_state_map::on_liveness_change): New.
5421 (sm_state_map::on_inherited_svalue): Delete.
5422 (sm_state_map::on_cast): Delete.
5423 (sm_state_map::validate): Delete.
5424 (sm_state_map::on_unknown_change): Port from svalue_id to
5425 const svalue *. Add is_mutable and ext_state params.
5426 (sm_state_map::canonicalize_svalue): New.
5427 (sm_state_map::m_sm): New field.
5428 (sm_state_map::m_sm_idx): New field.
5429 (program_state::operator=): Delete.
5430 (program_state::dump_to_pp): Drop "summarize" param, adding
5431 "simple" and "multiline".
5432 (program_state::dump_to_file): Likewise.
5433 (program_state::dump): Rename "summarize" to "simple".
5434 (program_state::push_frame): New.
5435 (program_state::get_current_function): New.
5436 (program_state::on_edge): Drop "change" param.
5437 (program_state::prune_for_point): Likewise. Add enode_for_diag
5438 param.
5439 (program_state::remap_svalue_ids): Delete.
5440 (program_state::get_representative_tree): Port from svalue_id to
5441 const svalue *.
5442 (program_state::can_purge_p): Likewise. Pass ext_state to get_state.
5443 (program_state::can_merge_with_p): Add point param.
5444 (program_state::detect_leaks): New.
5445 (state_change_visitor::on_state_change): Port from tree and
5446 svalue_id to a pair of const svalue *.
5447 (class state_change): Delete.
5448 * region.cc: New file.
5449 * region-model-impl-calls.cc: New file.
5450 * region-model-manager.cc: New file.
5451 * region-model-reachability.cc: New file.
5452 * region-model-reachability.h: New file.
5453 * region-model.cc: Include "analyzer/call-string.h",
5454 "analyzer/program-point.h", and "analyzer/store.h" before
5455 "analyzer/region-model.h". Include
5456 "analyzer/region-model-reachability.h".
5457 (dump_tree): Make non-static.
5458 (dump_quoted_tree): Make non-static.
5459 (print_quoted_type): Make non-static.
5460 (path_var::dump): Delete.
5461 (dump_separator): Delete.
5462 (class impl_constraint_manager): Delete.
5463 (svalue_id::print): Delete.
5464 (svalue_id::dump_node_name_to_pp): Delete.
5465 (svalue_id::validate): Delete.
5466 (region_id::print): Delete.
5467 (region_id::dump_node_name_to_pp): Delete.
5468 (region_id::validate): Delete.
5469 (region_id_set::region_id_set): Delete.
5470 (svalue_id_set::svalue_id_set): Delete.
5471 (svalue::operator==): Delete.
5472 (svalue::hash): Delete.
5473 (svalue::print): Delete.
5474 (svalue::dump_dot_to_pp): Delete.
5475 (svalue::remap_region_ids): Delete.
5476 (svalue::walk_for_canonicalization): Delete.
5477 (svalue::get_child_sid): Delete.
5478 (svalue::maybe_get_constant): Delete.
5479 (region_svalue::compare_fields): Delete.
5480 (region_svalue::add_to_hash): Delete.
5481 (region_svalue::print_details): Delete.
5482 (region_svalue::dump_dot_to_pp): Delete.
5483 (region_svalue::remap_region_ids): Delete.
5484 (region_svalue::merge_values): Delete.
5485 (region_svalue::walk_for_canonicalization): Delete.
5486 (region_svalue::eval_condition): Delete.
5487 (constant_svalue::compare_fields): Delete.
5488 (constant_svalue::add_to_hash): Delete.
5489 (constant_svalue::merge_values): Delete.
5490 (constant_svalue::eval_condition): Move to svalue.cc.
5491 (constant_svalue::print_details): Delete.
5492 (constant_svalue::get_child_sid): Delete.
5493 (unknown_svalue::compare_fields): Delete.
5494 (unknown_svalue::add_to_hash): Delete.
5495 (unknown_svalue::print_details): Delete.
5496 (poison_kind_to_str): Move to svalue.cc.
5497 (poisoned_svalue::compare_fields): Delete.
5498 (poisoned_svalue::add_to_hash): Delete.
5499 (poisoned_svalue::print_details): Delete.
5500 (region_kind_to_str): Move to region.cc and reimplement.
5501 (region::operator==): Delete.
5502 (region::get_parent_region): Delete.
5503 (region::set_value): Delete.
5504 (region::become_active_view): Delete.
5505 (region::deactivate_any_active_view): Delete.
5506 (region::deactivate_view): Delete.
5507 (region::get_value): Delete.
5508 (region::get_inherited_child_sid): Delete.
5509 (region_model::copy_region): Delete.
5510 (region_model::copy_struct_region): Delete.
5511 (region_model::copy_union_region): Delete.
5512 (region_model::copy_array_region): Delete.
5513 (region::hash): Delete.
5514 (region::print): Delete.
5515 (region::dump_dot_to_pp): Delete.
5516 (region::dump_to_pp): Delete.
5517 (region::dump_child_label): Delete.
5518 (region::validate): Delete.
5519 (region::remap_svalue_ids): Delete.
5520 (region::remap_region_ids): Delete.
5521 (region::add_view): Delete.
5522 (region::get_view): Delete.
5523 (region::region): Move to region.cc.
5524 (region::add_to_hash): Delete.
5525 (region::print_fields): Delete.
5526 (region::non_null_p): Delete.
5527 (primitive_region::clone): Delete.
5528 (primitive_region::walk_for_canonicalization): Delete.
5529 (map_region::map_region): Delete.
5530 (map_region::compare_fields): Delete.
5531 (map_region::print_fields): Delete.
5532 (map_region::validate): Delete.
5533 (map_region::dump_dot_to_pp): Delete.
5534 (map_region::dump_child_label): Delete.
5535 (map_region::get_or_create): Delete.
5536 (map_region::get): Delete.
5537 (map_region::add_to_hash): Delete.
5538 (map_region::remap_region_ids): Delete.
5539 (map_region::unbind): Delete.
5540 (map_region::get_tree_for_child_region): Delete.
5541 (map_region::get_tree_for_child_region): Delete.
5542 (tree_cmp): Move to region.cc.
5543 (map_region::can_merge_p): Delete.
5544 (map_region::walk_for_canonicalization): Delete.
5545 (map_region::get_value_by_name): Delete.
5546 (struct_or_union_region::valid_key_p): Delete.
5547 (struct_or_union_region::compare_fields): Delete.
5548 (struct_region::clone): Delete.
5549 (struct_region::compare_fields): Delete.
5550 (union_region::clone): Delete.
5551 (union_region::compare_fields): Delete.
5552 (frame_region::compare_fields): Delete.
5553 (frame_region::clone): Delete.
5554 (frame_region::valid_key_p): Delete.
5555 (frame_region::print_fields): Delete.
5556 (frame_region::add_to_hash): Delete.
5557 (globals_region::compare_fields): Delete.
5558 (globals_region::clone): Delete.
5559 (globals_region::valid_key_p): Delete.
5560 (code_region::compare_fields): Delete.
5561 (code_region::clone): Delete.
5562 (code_region::valid_key_p): Delete.
5563 (array_region::array_region): Delete.
5564 (array_region::get_element): Delete.
5565 (array_region::clone): Delete.
5566 (array_region::compare_fields): Delete.
5567 (array_region::print_fields): Delete.
5568 (array_region::validate): Delete.
5569 (array_region::dump_dot_to_pp): Delete.
5570 (array_region::dump_child_label): Delete.
5571 (array_region::get_or_create): Delete.
5572 (array_region::get): Delete.
5573 (array_region::add_to_hash): Delete.
5574 (array_region::remap_region_ids): Delete.
5575 (array_region::get_key_for_child_region): Delete.
5576 (array_region::key_cmp): Delete.
5577 (array_region::walk_for_canonicalization): Delete.
5578 (array_region::key_from_constant): Delete.
5579 (array_region::constant_from_key): Delete.
5580 (function_region::compare_fields): Delete.
5581 (function_region::clone): Delete.
5582 (function_region::valid_key_p): Delete.
5583 (stack_region::stack_region): Delete.
5584 (stack_region::compare_fields): Delete.
5585 (stack_region::clone): Delete.
5586 (stack_region::print_fields): Delete.
5587 (stack_region::dump_child_label): Delete.
5588 (stack_region::validate): Delete.
5589 (stack_region::push_frame): Delete.
5590 (stack_region::get_current_frame_id): Delete.
5591 (stack_region::pop_frame): Delete.
5592 (stack_region::add_to_hash): Delete.
5593 (stack_region::remap_region_ids): Delete.
5594 (stack_region::can_merge_p): Delete.
5595 (stack_region::walk_for_canonicalization): Delete.
5596 (stack_region::get_value_by_name): Delete.
5597 (heap_region::heap_region): Delete.
5598 (heap_region::compare_fields): Delete.
5599 (heap_region::clone): Delete.
5600 (heap_region::walk_for_canonicalization): Delete.
5601 (root_region::root_region): Delete.
5602 (root_region::compare_fields): Delete.
5603 (root_region::clone): Delete.
5604 (root_region::print_fields): Delete.
5605 (root_region::validate): Delete.
5606 (root_region::dump_child_label): Delete.
5607 (root_region::push_frame): Delete.
5608 (root_region::get_current_frame_id): Delete.
5609 (root_region::pop_frame): Delete.
5610 (root_region::ensure_stack_region): Delete.
5611 (root_region::get_stack_region): Delete.
5612 (root_region::ensure_globals_region): Delete.
5613 (root_region::get_code_region): Delete.
5614 (root_region::ensure_code_region): Delete.
5615 (root_region::get_globals_region): Delete.
5616 (root_region::ensure_heap_region): Delete.
5617 (root_region::get_heap_region): Delete.
5618 (root_region::remap_region_ids): Delete.
5619 (root_region::can_merge_p): Delete.
5620 (root_region::add_to_hash): Delete.
5621 (root_region::walk_for_canonicalization): Delete.
5622 (root_region::get_value_by_name): Delete.
5623 (symbolic_region::symbolic_region): Delete.
5624 (symbolic_region::compare_fields): Delete.
5625 (symbolic_region::clone): Delete.
5626 (symbolic_region::walk_for_canonicalization): Delete.
5627 (symbolic_region::print_fields): Delete.
5628 (region_model::region_model): Add region_model_manager * param.
5629 Reimplement in terms of store, dropping impl_constraint_manager
5630 subclass.
5631 (region_model::operator=): Reimplement in terms of store
5632 (region_model::operator==): Likewise.
5633 (region_model::hash): Likewise.
5634 (region_model::print): Delete.
5635 (region_model::print_svalue): Delete.
5636 (region_model::dump_dot_to_pp): Delete.
5637 (region_model::dump_dot_to_file): Delete.
5638 (region_model::dump_dot): Delete.
5639 (region_model::dump_to_pp): Replace "summarize" param with
5640 "simple" and "multiline". Port to store-based implementation.
5641 (region_model::dump): Replace "summarize" param with "simple" and
5642 "multiline".
5643 (dump_vec_of_tree): Delete.
5644 (region_model::dump_summary_of_rep_path_vars): Delete.
5645 (region_model::validate): Delete.
5646 (svalue_id_cmp_by_constant_svalue_model): Delete.
5647 (svalue_id_cmp_by_constant_svalue): Delete.
5648 (region_model::canonicalize): Drop "ctxt" param. Reimplement in
5649 terms of store and constraints.
5650 (region_model::canonicalized_p): Remove NULL arg to canonicalize.
5651 (region_model::loop_replay_fixup): New.
5652 (poisoned_value_diagnostic::emit): Tweak wording of warnings.
5653 (region_model::check_for_poison): Delete.
5654 (region_model::get_gassign_result): New.
5655 (region_model::on_assignment): Port to store-based implementation.
5656 (region_model::on_call_pre): Delete calls to check_for_poison.
5657 Move implementations to region-model-impl-calls.c and port to
5658 store-based implementation.
5659 (region_model::on_call_post): Likewise.
5660 (class reachable_regions): Move to region-model-reachability.h/cc
5661 and port to store-based implementation.
5662 (region_model::handle_unrecognized_call): Port to store-based
5663 implementation.
5664 (region_model::get_reachable_svalues): New.
5665 (region_model::on_setjmp): Port to store-based implementation.
5666 (region_model::on_longjmp): Likewise.
5667 (region_model::handle_phi): Drop is_back_edge param and the logic
5668 using it.
5669 (region_model::get_lvalue_1): Port from region_id to const region *.
5670 (region_model::make_region_for_unexpected_tree_code): Delete.
5671 (assert_compat_types): If the check fails, use internal_error to
5672 show the types.
5673 (region_model::get_lvalue): Port from region_id to const region *.
5674 (region_model::get_rvalue_1): Port from svalue_id to const svalue *.
5675 (region_model::get_rvalue): Likewise.
5676 (region_model::get_or_create_ptr_svalue): Delete.
5677 (region_model::get_or_create_constant_svalue): Delete.
5678 (region_model::get_svalue_for_fndecl): Delete.
5679 (region_model::get_region_for_fndecl): Delete.
5680 (region_model::get_svalue_for_label): Delete.
5681 (region_model::get_region_for_label): Delete.
5682 (build_cast): Delete.
5683 (region_model::maybe_cast_1): Delete.
5684 (region_model::maybe_cast): Delete.
5685 (region_model::get_field_region): Delete.
5686 (region_model::get_store_value): New.
5687 (region_model::region_exists_p): New.
5688 (region_model::deref_rvalue): Port from svalue_id to const svalue *.
5689 (region_model::set_value): Likewise.
5690 (region_model::clobber_region): New.
5691 (region_model::purge_region): New.
5692 (region_model::zero_fill_region): New.
5693 (region_model::mark_region_as_unknown): New.
5694 (region_model::eval_condition): Port from svalue_id to
5695 const svalue *.
5696 (region_model::eval_condition_without_cm): Likewise.
5697 (region_model::compare_initial_and_pointer): New.
5698 (region_model::add_constraint): Port from svalue_id to
5699 const svalue *.
5700 (region_model::maybe_get_constant): Delete.
5701 (region_model::get_representative_path_var): New.
5702 (region_model::add_new_malloc_region): Delete.
5703 (region_model::get_representative_tree): Port to const svalue *.
5704 (region_model::get_representative_path_var): Port to
5705 const region *.
5706 (region_model::get_path_vars_for_svalue): Delete.
5707 (region_model::set_to_new_unknown_value): Delete.
5708 (region_model::update_for_phis): Don't pass is_back_edge to handle_phi.
5709 (region_model::update_for_call_superedge): Port from svalue_id to
5710 const svalue *.
5711 (region_model::update_for_return_superedge): Port to store-based
5712 implementation.
5713 (region_model::update_for_call_summary): Replace
5714 set_to_new_unknown_value with mark_region_as_unknown.
5715 (region_model::get_root_region): Delete.
5716 (region_model::get_stack_region_id): Delete.
5717 (region_model::push_frame): Delete.
5718 (region_model::get_current_frame_id): Delete.
5719 (region_model::get_current_function): Delete.
5720 (region_model::pop_frame): Delete.
5721 (region_model::on_top_level_param): New.
5722 (region_model::get_stack_depth): Delete.
5723 (region_model::get_function_at_depth): Delete.
5724 (region_model::get_globals_region_id): Delete.
5725 (region_model::add_svalue): Delete.
5726 (region_model::replace_svalue): Delete.
5727 (region_model::add_region): Delete.
5728 (region_model::get_svalue): Delete.
5729 (region_model::get_region): Delete.
5730 (make_region_for_type): Delete.
5731 (region_model::add_region_for_type): Delete.
5732 (region_model::on_top_level_param): New.
5733 (class restrict_to_used_svalues): Delete.
5734 (region_model::purge_unused_svalues): Delete.
5735 (region_model::push_frame): New.
5736 (region_model::remap_svalue_ids): Delete.
5737 (region_model::remap_region_ids): Delete.
5738 (region_model::purge_regions): Delete.
5739 (region_model::get_descendents): Delete.
5740 (region_model::delete_region_and_descendents): Delete.
5741 (region_model::poison_any_pointers_to_bad_regions): Delete.
5742 (region_model::can_merge_with_p): Delete.
5743 (region_model::get_current_function): New.
5744 (region_model::get_value_by_name): Delete.
5745 (region_model::convert_byte_offset_to_array_index): Delete.
5746 (region_model::pop_frame): New.
5747 (region_model::get_or_create_mem_ref): Delete.
5748 (region_model::get_stack_depth): New.
5749 (region_model::get_frame_at_index): New.
5750 (region_model::unbind_region_and_descendents): New.
5751 (struct bad_pointer_finder): New.
5752 (region_model::get_or_create_pointer_plus_expr): Delete.
5753 (region_model::poison_any_pointers_to_descendents): New.
5754 (region_model::get_or_create_view): Delete.
5755 (region_model::can_merge_with_p): New.
5756 (region_model::get_fndecl_for_call): Port from svalue_id to
5757 const svalue *.
5758 (struct append_ssa_names_cb_data): New.
5759 (get_ssa_name_regions_for_current_frame): New.
5760 (region_model::append_ssa_names_cb): New.
5761 (model_merger::dump_to_pp): Add "simple" param. Drop dumping of
5762 remappings.
5763 (model_merger::dump): Add "simple" param to both overloads.
5764 (model_merger::can_merge_values_p): Delete.
5765 (model_merger::record_regions): Delete.
5766 (model_merger::record_svalues): Delete.
5767 (svalue_id_merger_mapping::svalue_id_merger_mapping): Delete.
5768 (svalue_id_merger_mapping::dump_to_pp): Delete.
5769 (svalue_id_merger_mapping::dump): Delete.
5770 (region_model::create_region_for_heap_alloc): New.
5771 (region_model::create_region_for_alloca): New.
5772 (region_model::record_dynamic_extents): New.
5773 (canonicalization::canonicalization): Delete.
5774 (canonicalization::walk_rid): Delete.
5775 (canonicalization::walk_sid): Delete.
5776 (canonicalization::dump_to_pp): Delete.
5777 (canonicalization::dump): Delete.
5778 (inchash::add): Delete overloads for svalue_id and region_id.
5779 (engine::log_stats): New.
5780 (assert_condition): Add overload comparing svalues.
5781 (assert_dump_eq): Pass "true" for multiline.
5782 (selftest::test_dump): Update for rewrite of region_model.
5783 (selftest::test_dump_2): Rename to...
5784 (selftest::test_struct): ...this. Provide a region_model_manager
5785 when creating region_model instance. Remove dump test. Add
5786 checks for get_offset.
5787 (selftest::test_dump_3): Rename to...
5788 (selftest::test_array_1): ...this. Provide a region_model_manager
5789 when creating region_model instance. Remove dump test.
5790 (selftest::test_get_representative_tree): Port from svalue_id to
5791 new API. Add test coverage for various expressions.
5792 (selftest::test_unique_constants): Provide a region_model_manager
5793 for the region_model. Add test coverage for comparing const vs
5794 non-const.
5795 (selftest::test_svalue_equality): Delete.
5796 (selftest::test_region_equality): Delete.
5797 (selftest::test_unique_unknowns): New.
5798 (class purge_all_svalue_ids): Delete.
5799 (class purge_one_svalue_id): Delete.
5800 (selftest::test_purging_by_criteria): Delete.
5801 (selftest::test_initial_svalue_folding): New.
5802 (selftest::test_unaryop_svalue_folding): New.
5803 (selftest::test_binop_svalue_folding): New.
5804 (selftest::test_sub_svalue_folding): New.
5805 (selftest::test_purge_unused_svalues): Delete.
5806 (selftest::test_descendent_of_p): New.
5807 (selftest::test_assignment): Provide a region_model_manager for
5808 the region_model. Drop the dump test.
5809 (selftest::test_compound_assignment): Likewise.
5810 (selftest::test_stack_frames): Port to new implementation.
5811 (selftest::test_get_representative_path_var): Likewise.
5812 (selftest::test_canonicalization_1): Rename to...
5813 (selftest::test_equality_1): ...this. Port to new API, and add
5814 (selftest::test_canonicalization_2): Provide a
5815 region_model_manager when creating region_model instances.
5816 Remove redundant canicalization.
5817 (selftest::test_canonicalization_3): Provide a
5818 region_model_manager when creating region_model instances.
5819 Remove param from calls to region_model::canonicalize.
5820 (selftest::test_canonicalization_4): Likewise.
5821 (selftest::assert_region_models_merge): Constify
5822 out_merged_svalue. Port to new API.
5823 (selftest::test_state_merging): Provide a
5824 region_model_manager when creating region_model instances.
5825 Provide a program_point point when merging them. Replace
5826 set_to_new_unknown_value with usage of placeholder_svalues.
5827 Drop get_value_by_name. Port from svalue_id to const svalue *.
5828 Add test of heap allocation.
5829 (selftest::test_constraint_merging): Provide a
5830 region_model_manager when creating region_model instances.
5831 Provide a program_point point when merging them. Eliminate use
5832 of set_to_new_unknown_value.
5833 (selftest::test_widening_constraints): New.
5834 (selftest::test_iteration_1): New.
5835 (selftest::test_malloc_constraints): Port to store-based
5836 implementation.
5837 (selftest::test_var): New test.
5838 (selftest::test_array_2): New test.
5839 (selftest::test_mem_ref): New test.
5840 (selftest::test_POINTER_PLUS_EXPR_then_MEM_REF): New.
5841 (selftest::test_malloc): New.
5842 (selftest::test_alloca): New.
5843 (selftest::analyzer_region_model_cc_tests): Update for renamings.
5844 Call new functions.
5845 * region-model.h (class path_var): Move to analyzer.h.
5846 (class svalue_id): Delete.
5847 (class region_id): Delete.
5848 (class id_map): Delete.
5849 (svalue_id_map): Delete.
5850 (region_id_map): Delete.
5851 (id_map<T>::id_map): Delete.
5852 (id_map<T>::put): Delete.
5853 (id_map<T>::get_dst_for_src): Delete.
5854 (id_map<T>::get_src_for_dst): Delete.
5855 (id_map<T>::dump_to_pp): Delete.
5856 (id_map<T>::dump): Delete.
5857 (id_map<T>::update): Delete.
5858 (one_way_svalue_id_map): Delete.
5859 (one_way_region_id_map): Delete.
5860 (class region_id_set): Delete.
5861 (class svalue_id_set): Delete.
5862 (struct complexity): New.
5863 (class visitor): New.
5864 (enum svalue_kind): Add SK_SETJMP, SK_INITIAL, SK_UNARYOP,
5865 SK_BINOP, SK_SUB,SK_UNMERGEABLE, SK_PLACEHOLDER, SK_WIDENING,
5866 SK_COMPOUND, and SK_CONJURED.
5867 (svalue::operator==): Delete.
5868 (svalue::operator!=): Delete.
5869 (svalue::clone): Delete.
5870 (svalue::hash): Delete.
5871 (svalue::dump_dot_to_pp): Delete.
5872 (svalue::dump_to_pp): New.
5873 (svalue::dump): New.
5874 (svalue::get_desc): New.
5875 (svalue::dyn_cast_initial_svalue): New.
5876 (svalue::dyn_cast_unaryop_svalue): New.
5877 (svalue::dyn_cast_binop_svalue): New.
5878 (svalue::dyn_cast_sub_svalue): New.
5879 (svalue::dyn_cast_unmergeable_svalue): New.
5880 (svalue::dyn_cast_widening_svalue): New.
5881 (svalue::dyn_cast_compound_svalue): New.
5882 (svalue::dyn_cast_conjured_svalue): New.
5883 (svalue::maybe_undo_cast): New.
5884 (svalue::unwrap_any_unmergeable): New.
5885 (svalue::remap_region_ids): Delete
5886 (svalue::can_merge_p): New.
5887 (svalue::walk_for_canonicalization): Delete
5888 (svalue::get_complexity): New.
5889 (svalue::get_child_sid): Delete
5890 (svalue::accept): New.
5891 (svalue::live_p): New.
5892 (svalue::implicitly_live_p): New.
5893 (svalue::svalue): Add complexity param.
5894 (svalue::add_to_hash): Delete
5895 (svalue::print_details): Delete
5896 (svalue::m_complexity): New field.
5897 (region_svalue::key_t): New struct.
5898 (region_svalue::region_svalue): Port from region_id to
5899 const region_id *. Add complexity.
5900 (region_svalue::compare_fields): Delete.
5901 (region_svalue::clone): Delete.
5902 (region_svalue::dump_dot_to_pp): Delete.
5903 (region_svalue::get_pointee): Port from region_id to
5904 const region_id *.
5905 (region_svalue::remap_region_ids): Delete.
5906 (region_svalue::merge_values): Delete.
5907 (region_svalue::dump_to_pp): New.
5908 (region_svalue::accept): New.
5909 (region_svalue::walk_for_canonicalization): Delete.
5910 (region_svalue::eval_condition): Make params const.
5911 (region_svalue::add_to_hash): Delete.
5912 (region_svalue::print_details): Delete.
5913 (region_svalue::m_rid): Replace with...
5914 (region_svalue::m_reg): ...this.
5915 (is_a_helper <region_svalue *>::test): Convert to...
5916 (is_a_helper <const region_svalue *>::test): ...this.
5917 (template <> struct default_hash_traits<region_svalue::key_t>):
5918 New.
5919 (constant_svalue::constant_svalue): Add complexity.
5920 (constant_svalue::compare_fields): Delete.
5921 (constant_svalue::clone): Delete.
5922 (constant_svalue::add_to_hash): Delete.
5923 (constant_svalue::dump_to_pp): New.
5924 (constant_svalue::accept): New.
5925 (constant_svalue::implicitly_live_p): New.
5926 (constant_svalue::merge_values): Delete.
5927 (constant_svalue::eval_condition): Make params const.
5928 (constant_svalue::get_child_sid): Delete.
5929 (constant_svalue::print_details): Delete.
5930 (is_a_helper <constant_svalue *>::test): Convert to...
5931 (is_a_helper <const constant_svalue *>::test): ...this.
5932 (class unknown_svalue): Update leading comment.
5933 (unknown_svalue::unknown_svalue): Add complexity.
5934 (unknown_svalue::compare_fields): Delete.
5935 (unknown_svalue::add_to_hash): Delete.
5936 (unknown_svalue::dyn_cast_unknown_svalue): Delete.
5937 (unknown_svalue::print_details): Delete.
5938 (unknown_svalue::dump_to_pp): New.
5939 (unknown_svalue::accept): New.
5940 (poisoned_svalue::key_t): New struct.
5941 (poisoned_svalue::poisoned_svalue): Add complexity.
5942 (poisoned_svalue::compare_fields): Delete.
5943 (poisoned_svalue::clone): Delete.
5944 (poisoned_svalue::add_to_hash): Delete.
5945 (poisoned_svalue::dump_to_pp): New.
5946 (poisoned_svalue::accept): New.
5947 (poisoned_svalue::print_details): Delete.
5948 (is_a_helper <poisoned_svalue *>::test): Convert to...
5949 (is_a_helper <const poisoned_svalue *>::test): ...this.
5950 (template <> struct default_hash_traits<poisoned_svalue::key_t>):
5951 New.
5952 (setjmp_record::add_to_hash): New.
5953 (setjmp_svalue::key_t): New struct.
5954 (setjmp_svalue::compare_fields): Delete.
5955 (setjmp_svalue::clone): Delete.
5956 (setjmp_svalue::add_to_hash): Delete.
5957 (setjmp_svalue::setjmp_svalue): Add complexity.
5958 (setjmp_svalue::dump_to_pp): New.
5959 (setjmp_svalue::accept): New.
5960 (setjmp_svalue::void print_details): Delete.
5961 (is_a_helper <const setjmp_svalue *>::test): New.
5962 (template <> struct default_hash_traits<setjmp_svalue::key_t>): New.
5963 (class initial_svalue : public svalue): New.
5964 (is_a_helper <const initial_svalue *>::test): New.
5965 (class unaryop_svalue): New.
5966 (is_a_helper <const unaryop_svalue *>::test): New.
5967 (template <> struct default_hash_traits<unaryop_svalue::key_t>): New.
5968 (class binop_svalue): New.
5969 (is_a_helper <const binop_svalue *>::test): New.
5970 (template <> struct default_hash_traits<binop_svalue::key_t>): New.
5971 (class sub_svalue): New.
5972 (is_a_helper <const sub_svalue *>::test): New.
5973 (template <> struct default_hash_traits<sub_svalue::key_t>): New.
5974 (class unmergeable_svalue): New.
5975 (is_a_helper <const unmergeable_svalue *>::test): New.
5976 (class placeholder_svalue): New.
5977 (is_a_helper <placeholder_svalue *>::test): New.
5978 (class widening_svalue): New.
5979 (is_a_helper <widening_svalue *>::test): New.
5980 (template <> struct default_hash_traits<widening_svalue::key_t>): New.
5981 (class compound_svalue): New.
5982 (is_a_helper <compound_svalue *>::test): New.
5983 (template <> struct default_hash_traits<compound_svalue::key_t>): New.
5984 (class conjured_svalue): New.
5985 (is_a_helper <conjured_svalue *>::test): New.
5986 (template <> struct default_hash_traits<conjured_svalue::key_t>): New.
5987 (enum region_kind): Delete RK_PRIMITIVE, RK_STRUCT, RK_UNION, and
5988 RK_ARRAY. Add RK_LABEL, RK_DECL, RK_FIELD, RK_ELEMENT, RK_OFFSET,
5989 RK_CAST, RK_HEAP_ALLOCATED, RK_ALLOCA, RK_STRING, and RK_UNKNOWN.
5990 (region_kind_to_str): Delete.
5991 (region::~region): Move implementation to region.cc.
5992 (region::operator==): Delete.
5993 (region::operator!=): Delete.
5994 (region::clone): Delete.
5995 (region::get_id): New.
5996 (region::cmp_ids): New.
5997 (region::dyn_cast_map_region): Delete.
5998 (region::dyn_cast_array_region): Delete.
5999 (region::region_id get_parent): Delete.
6000 (region::get_parent_region): Convert to a simple accessor.
6001 (region::void set_value): Delete.
6002 (region::svalue_id get_value): Delete.
6003 (region::svalue_id get_value_direct): Delete.
6004 (region::svalue_id get_inherited_child_sid): Delete.
6005 (region::dyn_cast_frame_region): New.
6006 (region::dyn_cast_function_region): New.
6007 (region::dyn_cast_decl_region): New.
6008 (region::dyn_cast_field_region): New.
6009 (region::dyn_cast_element_region): New.
6010 (region::dyn_cast_offset_region): New.
6011 (region::dyn_cast_cast_region): New.
6012 (region::dyn_cast_string_region): New.
6013 (region::accept): New.
6014 (region::get_base_region): New.
6015 (region::base_region_p): New.
6016 (region::descendent_of_p): New.
6017 (region::maybe_get_frame_region): New.
6018 (region::maybe_get_decl): New.
6019 (region::hash): Delete.
6020 (region::rint): Delete.
6021 (region::dump_dot_to_pp): Delete.
6022 (region::get_desc): New.
6023 (region::dump_to_pp): Convert to vfunc, changing signature.
6024 (region::dump_child_label): Delete.
6025 (region::remap_svalue_ids): Delete.
6026 (region::remap_region_ids): Delete.
6027 (region::dump): New.
6028 (region::walk_for_canonicalization): Delete.
6029 (region::non_null_p): Drop region_model param.
6030 (region::add_view): Delete.
6031 (region::get_view): Delete.
6032 (region::get_active_view): Delete.
6033 (region::is_view_p): Delete.
6034 (region::cmp_ptrs): New.
6035 (region::validate): Delete.
6036 (region::get_offset): New.
6037 (region::get_byte_size): New.
6038 (region::get_bit_size): New.
6039 (region::get_subregions_for_binding): New.
6040 (region::region): Add complexity param. Convert parent from
6041 region_id to const region *. Drop svalue_id. Drop copy ctor.
6042 (region::symbolic_for_unknown_ptr_p): New.
6043 (region::add_to_hash): Delete.
6044 (region::print_fields): Delete.
6045 (region::get_complexity): New accessor.
6046 (region::become_active_view): Delete.
6047 (region::deactivate_any_active_view): Delete.
6048 (region::deactivate_view): Delete.
6049 (region::calc_offset): New.
6050 (region::m_parent_rid): Delete.
6051 (region::m_sval_id): Delete.
6052 (region::m_complexity): New.
6053 (region::m_id): New.
6054 (region::m_parent): New.
6055 (region::m_view_rids): Delete.
6056 (region::m_is_view): Delete.
6057 (region::m_active_view_rid): Delete.
6058 (region::m_cached_offset): New.
6059 (is_a_helper <region *>::test): Convert to...
6060 (is_a_helper <const region *>::test): ... this.
6061 (class primitive_region): Delete.
6062 (class space_region): New.
6063 (class map_region): Delete.
6064 (is_a_helper <map_region *>::test): Delete.
6065 (class frame_region): Reimplement.
6066 (template <> struct default_hash_traits<frame_region::key_t>):
6067 New.
6068 (class globals_region): Reimplement.
6069 (is_a_helper <globals_region *>::test): Convert to...
6070 (is_a_helper <const globals_region *>::test): ...this.
6071 (class struct_or_union_region): Delete.
6072 (is_a_helper <struct_or_union_region *>::test): Delete.
6073 (class code_region): Reimplement.
6074 (is_a_helper <const code_region *>::test): New.
6075 (class struct_region): Delete.
6076 (is_a_helper <struct_region *>::test): Delete.
6077 (class function_region): Reimplement.
6078 (is_a_helper <function_region *>::test): Convert to...
6079 (is_a_helper <const function_region *>::test): ...this.
6080 (class union_region): Delete.
6081 (is_a_helper <union_region *>::test): Delete.
6082 (class label_region): New.
6083 (is_a_helper <const label_region *>::test): New.
6084 (class scope_region): Delete.
6085 (class stack_region): Reimplement.
6086 (is_a_helper <stack_region *>::test): Convert to...
6087 (is_a_helper <const stack_region *>::test): ...this.
6088 (class heap_region): Reimplement.
6089 (is_a_helper <heap_region *>::test): Convert to...
6090 (is_a_helper <const heap_region *>::test): ...this.
6091 (class root_region): Reimplement.
6092 (is_a_helper <root_region *>::test): Convert to...
6093 (is_a_helper <const root_region *>::test): ...this.
6094 (class symbolic_region): Reimplement.
6095 (is_a_helper <const symbolic_region *>::test): New.
6096 (template <> struct default_hash_traits<symbolic_region::key_t>):
6097 New.
6098 (class decl_region): New.
6099 (is_a_helper <const decl_region *>::test): New.
6100 (class field_region): New.
6101 (template <> struct default_hash_traits<field_region::key_t>): New.
6102 (class array_region): Delete.
6103 (class element_region): New.
6104 (is_a_helper <array_region *>::test): Delete.
6105 (is_a_helper <const element_region *>::test): New.
6106 (template <> struct default_hash_traits<element_region::key_t>):
6107 New.
6108 (class offset_region): New.
6109 (is_a_helper <const offset_region *>::test): New.
6110 (template <> struct default_hash_traits<offset_region::key_t>):
6111 New.
6112 (class cast_region): New.
6113 (is_a_helper <const cast_region *>::test): New.
6114 (template <> struct default_hash_traits<cast_region::key_t>): New.
6115 (class heap_allocated_region): New.
6116 (class alloca_region): New.
6117 (class string_region): New.
6118 (is_a_helper <const string_region *>::test): New.
6119 (class unknown_region): New.
6120 (class region_model_manager): New.
6121 (struct append_ssa_names_cb_data): New.
6122 (class call_details): New.
6123 (region_model::region_model): Add region_model_manager param.
6124 (region_model::print_svalue): Delete.
6125 (region_model::dump_dot_to_pp): Delete.
6126 (region_model::dump_dot_to_file): Delete.
6127 (region_model::dump_dot): Delete.
6128 (region_model::dump_to_pp): Drop summarize param in favor of
6129 simple and multiline.
6130 (region_model::dump): Likewise.
6131 (region_model::summarize_to_pp): Delete.
6132 (region_model::summarize): Delete.
6133 (region_model::void canonicalize): Drop ctxt param.
6134 (region_model::void check_for_poison): Delete.
6135 (region_model::get_gassign_result): New.
6136 (region_model::impl_call_alloca): New.
6137 (region_model::impl_call_analyzer_describe): New.
6138 (region_model::impl_call_analyzer_eval): New.
6139 (region_model::impl_call_builtin_expect): New.
6140 (region_model::impl_call_calloc): New.
6141 (region_model::impl_call_free): New.
6142 (region_model::impl_call_malloc): New.
6143 (region_model::impl_call_memset): New.
6144 (region_model::impl_call_strlen): New.
6145 (region_model::get_reachable_svalues): New.
6146 (region_model::handle_phi): Drop is_back_edge param.
6147 (region_model::region_id get_root_rid): Delete.
6148 (region_model::root_region *get_root_region): Delete.
6149 (region_model::region_id get_stack_region_id): Delete.
6150 (region_model::push_frame): Convert from region_id and svalue_id
6151 to const region * and const svalue *.
6152 (region_model::get_current_frame_id): Replace with...
6153 (region_model::get_current_frame): ...this.
6154 (region_model::pop_frame): Convert from region_id to
6155 const region *. Drop purge and stats param. Add out_result.
6156 (region_model::function *get_function_at_depth): Delete.
6157 (region_model::get_globals_region_id): Delete.
6158 (region_model::add_svalue): Delete.
6159 (region_model::replace_svalue): Delete.
6160 (region_model::add_region): Delete.
6161 (region_model::add_region_for_type): Delete.
6162 (region_model::get_svalue): Delete.
6163 (region_model::get_region): Delete.
6164 (region_model::get_lvalue): Convert from region_id to
6165 const region *.
6166 (region_model::get_rvalue): Convert from svalue_id to
6167 const svalue *.
6168 (region_model::get_or_create_ptr_svalue): Delete.
6169 (region_model::get_or_create_constant_svalue): Delete.
6170 (region_model::get_svalue_for_fndecl): Delete.
6171 (region_model::get_svalue_for_label): Delete.
6172 (region_model::get_region_for_fndecl): Delete.
6173 (region_model::get_region_for_label): Delete.
6174 (region_model::get_frame_at_index (int index) const;): New.
6175 (region_model::maybe_cast): Delete.
6176 (region_model::maybe_cast_1): Delete.
6177 (region_model::get_field_region): Delete.
6178 (region_model::id deref_rvalue): Convert from region_id and
6179 svalue_id to const region * and const svalue *. Drop overload,
6180 passing in both a tree and an svalue.
6181 (region_model::set_value): Convert from region_id and svalue_id to
6182 const region * and const svalue *.
6183 (region_model::set_to_new_unknown_value): Delete.
6184 (region_model::clobber_region (const region *reg);): New.
6185 (region_model::purge_region (const region *reg);): New.
6186 (region_model::zero_fill_region (const region *reg);): New.
6187 (region_model::mark_region_as_unknown (const region *reg);): New.
6188 (region_model::copy_region): Convert from region_id to
6189 const region *.
6190 (region_model::eval_condition): Convert from svalue_id to
6191 const svalue *.
6192 (region_model::eval_condition_without_cm): Likewise.
6193 (region_model::compare_initial_and_pointer): New.
6194 (region_model:maybe_get_constant): Delete.
6195 (region_model::add_new_malloc_region): Delete.
6196 (region_model::get_representative_tree): Convert from svalue_id to
6197 const svalue *.
6198 (region_model::get_representative_path_var): Delete decl taking a
6199 region_id in favor of two decls, for svalue vs region, with an
6200 svalue_set to ensure termination.
6201 (region_model::get_path_vars_for_svalue): Delete.
6202 (region_model::create_region_for_heap_alloc): New.
6203 (region_model::create_region_for_alloca): New.
6204 (region_model::purge_unused_svalues): Delete.
6205 (region_model::remap_svalue_ids): Delete.
6206 (region_model::remap_region_ids): Delete.
6207 (region_model::purge_regions): Delete.
6208 (region_model::get_num_svalues): Delete.
6209 (region_model::get_num_regions): Delete.
6210 (region_model::get_descendents): Delete.
6211 (region_model::get_store): New.
6212 (region_model::delete_region_and_descendents): Delete.
6213 (region_model::get_manager): New.
6214 (region_model::unbind_region_and_descendents): New.
6215 (region_model::can_merge_with_p): Add point param. Drop
6216 svalue_id_merger_mapping.
6217 (region_model::get_value_by_name): Delete.
6218 (region_model::convert_byte_offset_to_array_index): Delete.
6219 (region_model::get_or_create_mem_ref): Delete.
6220 (region_model::get_or_create_pointer_plus_expr): Delete.
6221 (region_model::get_or_create_view): Delete.
6222 (region_model::get_lvalue_1): Convert from region_id to
6223 const region *.
6224 (region_model::get_rvalue_1): Convert from svalue_id to
6225 const svalue *.
6226 (region_model::get_ssa_name_regions_for_current_frame): New.
6227 (region_model::append_ssa_names_cb): New.
6228 (region_model::get_store_value): New.
6229 (region_model::copy_struct_region): Delete.
6230 (region_model::copy_union_region): Delete.
6231 (region_model::copy_array_region): Delete.
6232 (region_model::region_exists_p): New.
6233 (region_model::make_region_for_unexpected_tree_code): Delete.
6234 (region_model::loop_replay_fixup): New.
6235 (region_model::poison_any_pointers_to_bad_regions): Delete.
6236 (region_model::poison_any_pointers_to_descendents): New.
6237 (region_model::dump_summary_of_rep_path_vars): Delete.
6238 (region_model::on_top_level_param): New.
6239 (region_model::record_dynamic_extents): New.
6240 (region_model::m_mgr;): New.
6241 (region_model::m_store;): New.
6242 (region_model::m_svalues;): Delete.
6243 (region_model::m_regions;): Delete.
6244 (region_model::m_root_rid;): Delete.
6245 (region_model::m_current_frame;): New.
6246 (region_model_context::remap_svalue_ids): Delete.
6247 (region_model_context::can_purge_p): Delete.
6248 (region_model_context::on_svalue_leak): New.
6249 (region_model_context::on_svalue_purge): Delete.
6250 (region_model_context::on_liveness_change): New.
6251 (region_model_context::on_inherited_svalue): Delete.
6252 (region_model_context::on_cast): Delete.
6253 (region_model_context::on_unknown_change): Convert from svalue_id to
6254 const svalue * and add is_mutable.
6255 (class noop_region_model_context): Update for region_model_context
6256 changes.
6257 (model_merger::model_merger): Add program_point. Drop
6258 svalue_id_merger_mapping.
6259 (model_merger::dump_to_pp): Add "simple" param.
6260 (model_merger::dump): Likewise.
6261 (model_merger::get_region_a): Delete.
6262 (model_merger::get_region_b): Delete.
6263 (model_merger::can_merge_values_p): Delete.
6264 (model_merger::record_regions): Delete.
6265 (model_merger::record_svalues): Delete.
6266 (model_merger::m_point): New field.
6267 (model_merger::m_map_regions_from_a_to_m): Delete.
6268 (model_merger::m_map_regions_from_b_to_m): Delete.
6269 (model_merger::m_sid_mapping): Delete.
6270 (struct svalue_id_merger_mapping): Delete.
6271 (class engine): New.
6272 (struct canonicalization): Delete.
6273 (inchash::add): Delete decls for hashing svalue_id and region_id.
6274 (test_region_model_context::on_unexpected_tree_code): Require t to
6275 be non-NULL.
6276 (selftest::assert_condition): Add overload comparing a pair of
6277 const svalue *.
6278 * sm-file.cc: Include "tristate.h", "selftest.h",
6279 "analyzer/call-string.h", "analyzer/program-point.h",
6280 "analyzer/store.h", and "analyzer/region-model.h".
6281 (fileptr_state_machine::get_default_state): New.
6282 (fileptr_state_machine::on_stmt): Remove calls to
6283 get_readable_tree in favor of get_diagnostic_tree.
6284 * sm-malloc.cc: Include "tristate.h", "selftest.h",
6285 "analyzer/call-string.h", "analyzer/program-point.h",
6286 "analyzer/store.h", and "analyzer/region-model.h".
6287 (malloc_state_machine::get_default_state): New.
6288 (malloc_state_machine::reset_when_passed_to_unknown_fn_p): New.
6289 (malloc_diagnostic::describe_state_change): Handle change.m_expr
6290 being NULL.
6291 (null_arg::emit): Avoid printing "NULL '0'".
6292 (null_arg::describe_final_event): Avoid printing "(0) NULL".
6293 (malloc_leak::emit): Handle m_arg being NULL.
6294 (malloc_leak::describe_final_event): Handle ev.m_expr being NULL.
6295 (malloc_state_machine::on_stmt): Don't call get_readable_tree.
6296 Call get_diagnostic_tree when creating pending diagnostics.
6297 Update for is_zero_assignment becoming a member function of
6298 sm_ctxt.
6299 Don't transition to m_non_heap for ADDR_EXPR(MEM_REF()).
6300 (malloc_state_machine::reset_when_passed_to_unknown_fn_p): New
6301 vfunc implementation.
6302 * sm-sensitive.cc (sensitive_state_machine::warn_for_any_exposure): Call
6303 get_diagnostic_tree and pass the result to warn_for_state.
6304 * sm-signal.cc: Move includes of "analyzer/call-string.h" and
6305 "analyzer/program-point.h" to before "analyzer/region-model.h",
6306 and also include "analyzer/store.h" before it.
6307 (signal_unsafe_call::describe_state_change): Use
6308 get_dest_function to get handler.
6309 (update_model_for_signal_handler): Pass manager to region_model
6310 ctor.
6311 (register_signal_handler::impl_transition): Update for changes to
6312 get_or_create_node and add_edge.
6313 * sm-taint.cc (taint_state_machine::on_stmt): Remove calls to
6314 get_readable_tree, replacing them when calling warn_for_state with
6315 calls to get_diagnostic_tree.
6316 * sm.cc (is_zero_assignment): Delete.
6317 (any_pointer_p): Move to within namespace ana.
6318 * sm.h (is_zero_assignment): Remove decl.
6319 (any_pointer_p): Move decl to within namespace ana.
6320 (state_machine::get_default_state): New vfunc.
6321 (state_machine::reset_when_passed_to_unknown_fn_p): New vfunc.
6322 (sm_context::get_readable_tree): Rename to...
6323 (sm_context::get_diagnostic_tree): ...this.
6324 (sm_context::is_zero_assignment): New vfunc.
6325 * store.cc: New file.
6326 * store.h: New file.
6327 * svalue.cc: New file.
6328
2221fb6f
MW		 63292020-05-22 Mark Wielaard <mark@klomp.org>
6330
6331 * sm-signal.cc(signal_unsafe_call::emit): Possibly add
6332 gcc_rich_location note for replacement.
6333 (signal_unsafe_call::get_replacement_fn): New private function.
6334 (get_async_signal_unsafe_fns): Add "exit".
6335
5eae0ac7
DM		 63362020-04-28 David Malcolm <dmalcolm@redhat.com>
6337
6338 PR analyzer/94816
6339 * engine.cc (impl_region_model_context::on_unexpected_tree_code):
6340 Handle NULL tree.
6341 * region-model.cc (region_model::add_region_for_type): Handle
6342 NULL type.
6343 * region-model.h
6344 (test_region_model_context::on_unexpected_tree_code): Handle NULL
6345 tree.
6346
78b97837
DM		 63472020-04-28 David Malcolm <dmalcolm@redhat.com>
6348
6349 PR analyzer/94447
6350 PR analyzer/94639
6351 PR analyzer/94732
6352 PR analyzer/94754
6353 * analyzer.opt (Wanalyzer-use-of-uninitialized-value): Delete.
6354 * program-state.cc (selftest::test_program_state_dumping): Update
6355 expected dump result for removal of "uninit".
6356 * region-model.cc (poison_kind_to_str): Delete POISON_KIND_UNINIT
6357 case.
6358 (root_region::ensure_stack_region): Initialize stack with null
6359 svalue_id rather than with a typeless POISON_KIND_UNINIT value.
6360 (root_region::ensure_heap_region): Likewise for the heap.
6361 (region_model::dump_summary_of_rep_path_vars): Remove
6362 summarization of uninit values.
6363 (region_model::validate): Remove check that the stack has a
6364 POISON_KIND_UNINIT value.
6365 (poisoned_value_diagnostic::emit): Remove POISON_KIND_UNINIT
6366 case.
6367 (poisoned_value_diagnostic::describe_final_event): Likewise.
6368 (selftest::test_dump): Update expected dump result for removal of
6369 "uninit".
6370 (selftest::test_svalue_equality): Remove "uninit" and "freed".
6371 * region-model.h (enum poison_kind): Remove POISON_KIND_UNINIT.
6372
a96f1c38
DM		 63732020-04-01 David Malcolm <dmalcolm@redhat.com>
6374
6375 PR analyzer/94378
6376 * checker-path.cc: Include "bitmap.h".
6377 * constraint-manager.cc: Likewise.
6378 * diagnostic-manager.cc: Likewise.
6379 * engine.cc: Likewise.
6380 (exploded_node::detect_leaks): Pass null region_id to pop_frame.
6381 * program-point.cc: Include "bitmap.h".
6382 * program-state.cc: Likewise.
6383 * region-model.cc (id_set<region_id>::id_set): Convert to...
6384 (region_id_set::region_id_set): ...this.
6385 (svalue_id_set::svalue_id_set): New ctor.
6386 (region_model::copy_region): New function.
6387 (region_model::copy_struct_region): New function.
6388 (region_model::copy_union_region): New function.
6389 (region_model::copy_array_region): New function.
6390 (stack_region::pop_frame): Drop return value. Add
6391 "result_dst_rid" param; if it is non-null, use copy_region to copy
6392 the result to it. Rather than capture and pass a single "known
6393 used" return value to be used by purge_unused_values, instead
6394 gather and pass a set of known used return values.
6395 (root_region::pop_frame): Drop return value. Add "result_dst_rid"
6396 param.
6397 (region_model::on_assignment): Use copy_region.
6398 (region_model::on_return): Likewise for the result.
6399 (region_model::on_longjmp): Pass null for pop_frame's
6400 result_dst_rid.
6401 (region_model::update_for_return_superedge): Pass the region for the
6402 return value of the call, if any, to pop_frame, rather than setting
6403 the lvalue for the lhs of the result.
6404 (region_model::pop_frame): Drop return value. Add
6405 "result_dst_rid" param.
6406 (region_model::purge_unused_svalues): Convert third param from an
6407 svalue_id * to an svalue_id_set *, updating the initial populating
6408 of the "used" bitmap accordingly. Don't remap it when done.
6409 (struct selftest::coord_test): New selftest fixture, extracted from...
6410 (selftest::test_dump_2): ...here.
6411 (selftest::test_compound_assignment): New selftest.
6412 (selftest::test_stack_frames): Pass null to new param of pop_frame.
6413 (selftest::analyzer_region_model_cc_tests): Call the new selftest.
6414 * region-model.h (class id_set): Delete template.
6415 (class region_id_set): Reimplement, using old id_set implementation.
6416 (class svalue_id_set): Likewise. Convert from auto_sbitmap to
6417 auto_bitmap.
6418 (region::get_active_view): New accessor.
6419 (stack_region::pop_frame): Drop return value. Add
6420 "result_dst_rid" param.
6421 (root_region::pop_frame): Likewise.
6422 (region_model::pop_frame): Likewise.
6423 (region_model::copy_region): New decl.
6424 (region_model::purge_unused_svalues): Convert third param from an
6425 svalue_id * to an svalue_id_set *.
6426 (region_model::copy_struct_region): New decl.
6427 (region_model::copy_union_region): New decl.
6428 (region_model::copy_array_region): New decl.
6429
6969ac30
DM		 64302020-03-27 David Malcolm <dmalcolm@redhat.com>
6431
6432 * program-state.cc (selftest::test_program_state_dumping): Update
6433 expected dump to include symbolic_region's possibly_null field.
6434 * region-model.cc (symbolic_region::print_fields): New vfunc
6435 implementation.
6436 (region_model::add_constraint): Clear m_possibly_null from
6437 symbolic_regions now known to be non-NULL.
6438 (selftest::test_malloc_constraints): New selftest.
6439 (selftest::analyzer_region_model_cc_tests): Call it.
6440 * region-model.h (region::dyn_cast_symbolic_region): Add non-const
6441 overload.
6442 (symbolic_region::dyn_cast_symbolic_region): Implement it.
6443 (symbolic_region::print_fields): New vfunc override decl.
6444
42c63313
DM		 64452020-03-27 David Malcolm <dmalcolm@redhat.com>
6446
6447 * analyzer.h (class feasibility_problem): New forward decl.
6448 * diagnostic-manager.cc (saved_diagnostic::saved_diagnostic):
6449 Initialize new fields m_status, m_epath_length, and m_problem.
6450 (saved_diagnostic::~saved_diagnostic): Delete m_problem.
6451 (dedupe_candidate::dedupe_candidate): Convert "sd" param from a
6452 const ref to a mutable ptr.
6453 (dedupe_winners::add): Convert "sd" param from a const ref to a
6454 mutable ptr. Record the length of the exploded_path. Record the
6455 feasibility/infeasibility of sd into sd, capturing a
6456 feasibility_problem when feasible_p fails, and storing it in sd.
6457 (diagnostic_manager::emit_saved_diagnostics): Update for pass by
6458 ptr rather than by const ref.
6459 * diagnostic-manager.h (class saved_diagnostic): Add new enum
6460 status. Add fields m_status, m_epath_length and m_problem.
6461 (saved_diagnostic::set_feasible): New member function.
6462 (saved_diagnostic::set_infeasible): New member function.
6463 (saved_diagnostic::get_feasibility_problem): New accessor.
6464 (saved_diagnostic::get_status): New accessor.
6465 (saved_diagnostic::set_epath_length): New member function.
6466 (saved_diagnostic::get_epath_length): New accessor.
6467 * engine.cc: Include "gimple-pretty-print.h".
6468 (exploded_path::feasible_p): Add OUT param and, if non-NULL, write
6469 a new feasibility_problem to it on failure.
6470 (viz_callgraph_node::dump_dot): Convert begin_tr calls to
6471 begin_trtd. Convert end_tr calls to end_tdtr.
6472 (class exploded_graph_annotator): New subclass of dot_annotator.
6473 (impl_run_checkers): Add a second -fdump-analyzer-supergraph dump
6474 after the analysis runs, using exploded_graph_annotator. dumping
6475 to DUMP_BASE_NAME.supergraph-eg.dot.
6476 * exploded-graph.h (exploded_node::get_dot_fillcolor): Make
6477 public.
6478 (exploded_path::feasible_p): Add OUT param.
6479 (class feasibility_problem): New class.
6480 * state-purge.cc (state_purge_annotator::add_node_annotations):
6481 Return a bool, add a "within_table" param.
6482 (print_vec_of_names): Convert begin_tr calls to begin_trtd.
6483 Convert end_tr calls to end_tdtr.
6484 (state_purge_annotator::add_stmt_annotations): Add "within_row"
6485 param.
6486 * state-purge.h ((state_purge_annotator::add_node_annotations):
6487 Return a bool, add a "within_table" param.
6488 (state_purge_annotator::add_stmt_annotations): Add "within_row"
6489 param.
6490 * supergraph.cc (supernode::dump_dot): Call add_node_annotations
6491 twice: as before, passing false for "within_table", then again
6492 with true when within the TABLE element. Convert some begin_tr
6493 calls to begin_trtd, and some end_tr calls to end_tdtr.
6494 Repeat each add_stmt_annotations call, distinguishing between
6495 calls that add TRs and those that add TDs to an existing TR.
6496 Add a call to add_after_node_annotations.
6497 * supergraph.h (dot_annotator::add_node_annotations): Add a
6498 "within_table" param.
6499 (dot_annotator::add_stmt_annotations): Add a "within_row" param.
6500 (dot_annotator::add_after_node_annotations): New vfunc.
6501
8f023575
DM		 65022020-03-27 David Malcolm <dmalcolm@redhat.com>
6503
6504 * diagnostic-manager.cc (dedupe_winners::add): Show the
6505 exploded_node index in the log messages.
6506 (diagnostic_manager::emit_saved_diagnostics): Log a summary of
6507 m_saved_diagnostics at entry.
6508
4d661bb7
DM		 65092020-03-27 David Malcolm <dmalcolm@redhat.com>
6510
6511 * supergraph.cc (superedge::dump): Add space before description;
6512 move newline to non-pretty_printer overload.
6513
884d9141
DM		 65142020-03-18 David Malcolm <dmalcolm@redhat.com>
6515
6516 * region-model.cc: Include "stor-layout.h".
6517 (region_model::dump_to_pp): Rather than calling
6518 dump_summary_of_map on each of the current frame and the globals,
6519 instead get a vec of representative path_vars for all regions,
6520 and then dump a summary of all of them.
6521 (region_model::dump_summary_of_map): Delete, rewriting into...
6522 (region_model::dump_summary_of_rep_path_vars): ...this new
6523 function, working on a vec of path_vars.
6524 (region_model::set_value): New overload.
6525 (region_model::get_representative_path_var): Rename
6526 "parent_region" local to "parent_reg" and consolidate with other
6527 local. Guard test for grandparent being stack on parent_reg being
6528 non-NULL. Move handling for parent being an array_region to
6529 within guard for parent_reg being non-NULL.
6530 (selftest::make_test_compound_type): New function.
6531 (selftest::test_dump_2): New selftest.
6532 (selftest::test_dump_3): New selftest.
6533 (selftest::test_stack_frames): Update expected output from
6534 simplified dump to show "a" and "b" from parent frame and "y" in
6535 child frame.
6536 (selftest::analyzer_region_model_cc_tests): Call test_dump_2 and
6537 test_dump_3.
6538 * region-model.h (region_model::set_value): New overload decl.
6539 (region_model::dump_summary_of_map): Delete.
6540 (region_model::dump_summary_of_rep_path_vars): New.
6541
7d9c107a
DM		 65422020-03-18 David Malcolm <dmalcolm@redhat.com>
6543
6544 * region-model.h (class noop_region_model_context): New subclass
6545 of region_model_context.
6546 (class tentative_region_model_context): Inherit from
6547 noop_region_model_context rather than from region_model_context;
6548 drop redundant vfunc implementations.
6549 (class test_region_model_context): Likewise.
6550
0db2cd17
DM		 65512020-03-18 David Malcolm <dmalcolm@redhat.com>
6552
6553 * engine.cc (exploded_node::exploded_node): Move implementation
6554 here from header; accept point_and_state by const reference rather
6555 than by value.
6556 * exploded-graph.h (exploded_node::exploded_node): Pass
6557 point_and_state by const reference rather than by value. Move
6558 body to engine.cc.
6559
d5029d45
JJ		 65602020-03-18 Jakub Jelinek <jakub@redhat.com>
6561
6562 * sm-malloc.cc (malloc_state_machine::on_stmt): Fix up duplicated word
6563 issue in a comment.
6564 * region-model.cc (region_model::make_region_for_unexpected_tree_code,
6565 region_model::delete_region_and_descendents): Likewise.
6566 * engine.cc (class exploded_cluster): Likewise.
6567 * diagnostic-manager.cc (class path_builder): Likewise.
6568
5c048755
DM		 65692020-03-13 David Malcolm <dmalcolm@redhat.com>
6570
6571 PR analyzer/94099
6572 PR analyzer/94105
6573 * diagnostic-manager.cc (for_each_state_change): Bulletproof
6574 against errors in get_rvalue by passing a
6575 tentative_region_model_context and rejecting if there's an error.
6576 * region-model.cc (region_model::get_lvalue_1): When handling
6577 ARRAY_REF, handle results of error-handling. Handle NOP_EXPR.
6578
90f7c300
DM		 65792020-03-06 David Malcolm <dmalcolm@redhat.com>
6580
6581 * analyzer.h (class array_region): New forward decl.
6582 * program-state.cc (selftest::test_program_state_dumping_2): New.
6583 (selftest::analyzer_program_state_cc_tests): Call it.
6584 * region-model.cc (array_region::constant_from_key): New.
6585 (region_model::get_representative_tree): Handle region_svalue by
6586 generating an ADDR_EXPR.
6587 (region_model::get_representative_path_var): In view handling,
6588 remove erroneous TREE_TYPE when determining the type of the tree.
6589 Handle array regions and STRING_CST.
6590 (selftest::assert_dump_tree_eq): New.
6591 (ASSERT_DUMP_TREE_EQ): New macro.
6592 (selftest::test_get_representative_tree): New selftest.
6593 (selftest::analyzer_region_model_cc_tests): Call it.
6594 * region-model.h (region::dyn_cast_array_region): New vfunc.
6595 (array_region::dyn_cast_array_region): New vfunc implementation.
6596 (array_region::constant_from_key): New decl.
6597
41f99ba6
DM		 65982020-03-06 David Malcolm <dmalcolm@redhat.com>
6599
6600 * analyzer.h (dump_quoted_tree): New decl.
6601 * engine.cc (exploded_node::dump_dot): Pass region model to
6602 sm_state_map::print.
6603 * program-state.cc: Include diagnostic-core.h.
6604 (sm_state_map::print): Add "model" param and use it to print
6605 representative trees. Only print origin information if non-null.
6606 (sm_state_map::dump): Pass NULL for model to print call.
6607 (program_state::print): Pass region model to sm_state_map::print.
6608 (program_state::dump_to_pp): Use spaces rather than newlines when
6609 summarizing. Pass region_model to sm_state_map::print.
6610 (ana::selftest::assert_dump_eq): New function.
6611 (ASSERT_DUMP_EQ): New macro.
6612 (ana::selftest::test_program_state_dumping): New function.
6613 (ana::selftest::analyzer_program_state_cc_tests): Call it.
6614 * program-state.h (program_state::print): Add model param.
6615 * region-model.cc (dump_quoted_tree): New function.
6616 (map_region::print_fields): Use dump_quoted_tree rather than
6617 %qE to avoid lang-dependent output.
6618 (map_region::dump_child_label): Likewise.
6619 (region_model::dump_summary_of_map): For SK_REGION, when
6620 get_representative_path_var fails, print the region id rather than
6621 erroneously printing NULL.
6622 * sm.cc (state_machine::get_state_by_name): New function.
6623 * sm.h (state_machine::get_state_by_name): New decl.
6624
3c1645a3
DM		 66252020-03-04 David Malcolm <dmalcolm@redhat.com>
6626
6627 * region-model.cc (region::validate): Convert model param from ptr
6628 to reference. Update comment to reflect that it's now a vfunc.
6629 (map_region::validate): New vfunc implementation.
6630 (array_region::validate): New vfunc implementation.
6631 (stack_region::validate): New vfunc implementation.
6632 (root_region::validate): New vfunc implementation.
6633 (region_model::validate): Pass a reference rather than a pointer
6634 to the region::validate vfunc.
6635 * region-model.h (region::validate): Make virtual. Convert model
6636 param from ptr to reference.
6637 (map_region::validate): New vfunc decl.
6638 (array_region::validate): New vfunc decl.
6639 (stack_region::validate): New vfunc decl.
6640 (root_region::validate): New vfunc decl.
6641
e516294a
DM		 66422020-03-04 David Malcolm <dmalcolm@redhat.com>
6643
6644 PR analyzer/93993
6645 * region-model.cc (region_model::on_call_pre): Handle
6646 BUILT_IN_EXPECT and its variants.
6647 (region_model::add_any_constraints_from_ssa_def_stmt): Split out
6648 gassign handling into add_any_constraints_from_gassign; add gcall
6649 handling.
6650 (region_model::add_any_constraints_from_gassign): New function,
6651 based on the above. Add handling for NOP_EXPR.
6652 (region_model::add_any_constraints_from_gcall): New function.
6653 (region_model::get_representative_path_var): Handle views.
6654 * region-model.h
6655 (region_model::add_any_constraints_from_ssa_def_stmt): New decl.
6656 (region_model::add_any_constraints_from_gassign): New decl.
6657
3d66e153
DM		 66582020-03-04 David Malcolm <dmalcolm@redhat.com>
6659
6660 PR analyzer/93993
6661 * checker-path.h (state_change_event::get_lvalue): Add ctxt param
6662 and pass it to region_model::get_value call.
6663 * diagnostic-manager.cc (get_any_origin): Pass a
6664 tentative_region_model_context to the calls to get_lvalue and reject
6665 the comparison if errors occur.
6666 (can_be_expr_of_interest_p): New function.
6667 (diagnostic_manager::prune_for_sm_diagnostic): Replace checks for
6668 CONSTANT_CLASS_P with calls to update_for_unsuitable_sm_exprs.
6669 Pass a tentative_region_model_context to the calls to
6670 state_change_event::get_lvalue and reject the comparison if errors
6671 occur.
6672 (diagnostic_manager::update_for_unsuitable_sm_exprs): New.
6673 * diagnostic-manager.h
6674 (diagnostic_manager::update_for_unsuitable_sm_exprs): New decl.
6675 * region-model.h (class tentative_region_model_context): New class.
6676
13e3ba14
DM		 66772020-03-04 David Malcolm <dmalcolm@redhat.com>
6678
6679 * engine.cc (worklist::worklist): Remove unused field m_eg.
6680 (class viz_callgraph_edge): Remove unused field m_call_sedge.
6681 (class viz_callgraph): Remove unused field m_sg.
6682 * exploded-graph.h (worklist::::m_eg): Remove unused field.
6683
13b76912
DM		 66842020-03-02 David Malcolm <dmalcolm@redhat.com>
6685
6686 * analyzer.opt (fanalyzer-show-duplicate-count): New option.
6687 * diagnostic-manager.cc
6688 (diagnostic_manager::emit_saved_diagnostic): Use the above to
6689 guard the printing of the duplicate count.
6690
9f00b22f
DM		 66912020-03-02 David Malcolm <dmalcolm@redhat.com>
6692
6693 PR analyzer/93959
6694 * analyzer.cc (is_std_function_p): New function.
6695 (is_std_named_call_p): New functions.
6696 * analyzer.h (is_std_named_call_p): New decl.
6697 * sm-malloc.cc (malloc_state_machine::on_stmt): Check for "std::"
6698 variants when checking for malloc, calloc and free.
6699
71b633aa
DM		 67002020-02-26 David Malcolm <dmalcolm@redhat.com>
6701
6702 PR analyzer/93950
6703 * diagnostic-manager.cc
6704 (diagnostic_manager::prune_for_sm_diagnostic): Assert that var is
6705 either NULL or not a constant. When updating var, bulletproof
6706 against constant values.
6707
0ba70d1b
DM		 67082020-02-26 David Malcolm <dmalcolm@redhat.com>
6709
6710 PR analyzer/93947
6711 * region-model.cc (region_model::get_fndecl_for_call): Gracefully
6712 fail for fn_decls that don't have a cgraph_node.
6713
67fa274c
DM		 67142020-02-26 David Malcolm <dmalcolm@redhat.com>
6715
6716 * bar-chart.cc: New file.
6717 * bar-chart.h: New file.
6718 * engine.cc: Include "analyzer/bar-chart.h".
6719 (stats::log): Only log the m_num_nodes kinds that are non-zero.
6720 (stats::dump): Likewise when dumping.
6721 (stats::get_total_enodes): New.
6722 (exploded_graph::get_or_create_node): Increment the per-point-data
6723 m_excess_enodes when hitting the per-program-point limit on
6724 enodes.
6725 (exploded_graph::print_bar_charts): New.
6726 (exploded_graph::log_stats): Log the number of unprocessed enodes
6727 in the worklist. Call print_bar_charts.
6728 (exploded_graph::dump_stats): Print the number of unprocessed
6729 enodes in the worklist.
6730 * exploded-graph.h (stats::get_total_enodes): New decl.
6731 (struct per_program_point_data): Add field m_excess_enodes.
6732 (exploded_graph::print_bar_charts): New decl.
6733 * supergraph.cc (superedge::dump): New.
6734 (superedge::dump): New.
6735 * supergraph.h (supernode::get_function): New.
6736 (superedge::dump): New decl.
6737 (superedge::dump): New decl.
6738
f2ca2088
DM		 67392020-02-24 David Malcolm <dmalcolm@redhat.com>
6740
6741 * engine.cc (exploded_graph::get_or_create_node): Dump the
6742 program_state to the pp, rather than to stderr.
6743
b3d788a2
DM		 67442020-02-24 David Malcolm <dmalcolm@redhat.com>
6745
6746 PR analyzer/93032
6747 * sm.cc (make_checkers): Require the "taint" checker to be
6748 explicitly enabled.
6749
3a25f345
DM		 67502020-02-24 David Malcolm <dmalcolm@redhat.com>
6751
6752 PR analyzer/93899
6753 * engine.cc
6754 (impl_region_model_context::impl_region_model_context): Add logger
6755 param.
6756 * engine.cc (exploded_graph::add_function_entry): Create an
6757 impl_region_model_context and pass it to the push_frame call.
6758 Bail if the resulting state is invalid.
6759 (exploded_graph::build_initial_worklist): Likewise.
6760 (exploded_graph::build_initial_worklist): Handle the case where
6761 add_function_entry fails.
6762 * exploded-graph.h
6763 (impl_region_model_context::impl_region_model_context): Add logger
6764 param.
6765 * region-model.cc (map_region::get_or_create): Add ctxt param and
6766 pass it to add_region_for_type.
6767 (map_region::can_merge_p): Pass NULL as a ctxt to call to
6768 get_or_create.
6769 (array_region::get_element): Pass ctxt to call to get_or_create.
6770 (array_region::get_or_create): Add ctxt param and pass it to
6771 add_region_for_type.
6772 (root_region::push_frame): Pass ctxt to get_or_create calls.
6773 (region_model::get_lvalue_1): Likewise.
6774 (region_model::make_region_for_unexpected_tree_code): Assert that
6775 ctxt is non-NULL.
6776 (region_model::get_rvalue_1): Pass ctxt to get_svalue_for_fndecl
6777 and get_svalue_for_label calls.
6778 (region_model::get_svalue_for_fndecl): Add ctxt param and pass it
6779 to get_region_for_fndecl.
6780 (region_model::get_region_for_fndecl): Add ctxt param and pass it
6781 to get_or_create.
6782 (region_model::get_svalue_for_label): Add ctxt param and pass it
6783 to get_region_for_label.
6784 (region_model::get_region_for_label): Add ctxt param and pass it
6785 to get_region_for_fndecl and get_or_create.
6786 (region_model::get_field_region): Add ctxt param and pass it to
6787 get_or_create_view and get_or_create.
6788 (make_region_for_type): Replace gcc_unreachable with return NULL.
6789 (region_model::add_region_for_type): Add ctxt param. Handle a
6790 return of NULL from make_region_for_type by calling
6791 make_region_for_unexpected_tree_code.
6792 (region_model::get_or_create_mem_ref): Pass ctxt to calls to
6793 get_or_create_view.
6794 (region_model::get_or_create_view): Add ctxt param and pass it to
6795 add_region_for_type.
6796 (selftest::test_state_merging): Pass ctxt to get_or_create_view.
6797 * region-model.h (region_model::get_or_create): Add ctxt param.
6798 (region_model::add_region_for_type): Likewise.
6799 (region_model::get_svalue_for_fndecl): Likewise.
6800 (region_model::get_svalue_for_label): Likewise.
6801 (region_model::get_region_for_fndecl): Likewise.
6802 (region_model::get_region_for_label): Likewise.
6803 (region_model::get_field_region): Likewise.
6804 (region_model::get_or_create_view): Likewise.
6805
004f2c07
DM		 68062020-02-24 David Malcolm <dmalcolm@redhat.com>
6807
6808 * checker-path.cc (superedge_event::should_filter_p): Update
6809 filter for empty descriptions to cover verbosity level 3 as well
6810 as 2.
6811 * diagnostic-manager.cc: Include "analyzer/reachability.h".
6812 (class path_builder): New class.
6813 (diagnostic_manager::emit_saved_diagnostic): Create a path_builder
6814 and pass it to build_emission_path, rather passing eg; similarly
6815 for add_events_for_eedge and ext_state.
6816 (diagnostic_manager::build_emission_path): Replace "eg" param
6817 with a path_builder, pass it to add_events_for_eedge.
6818 (diagnostic_manager::add_events_for_eedge): Replace ext_state
6819 param with path_builder; pass it to add_events_for_superedge.
6820 (diagnostic_manager::significant_edge_p): New.
6821 (diagnostic_manager::add_events_for_superedge): Add path_builder
6822 param. Reject insignificant edges at verbosity levels below 3.
6823 (diagnostic_manager::prune_for_sm_diagnostic): Update highest
6824 verbosity level to 4.
6825 * diagnostic-manager.h (class path_builder): New forward decl.
6826 (diagnostic_manager::build_emission_path): Replace "eg" param
6827 with a path_builder.
6828 (diagnostic_manager::add_events_for_eedge): Replace ext_state
6829 param with path_builder.
6830 (diagnostic_manager::significant_edge_p): New.
6831 (diagnostic_manager::add_events_for_superedge): Add path_builder
6832 param.
6833 * reachability.h: New file.
6834
0b2b45a6
DM		 68352020-02-18 David Malcolm <dmalcolm@redhat.com>
6836
6837 PR analyzer/93692
6838 * analyzer.opt (fdump-analyzer-callgraph): Rewrite description.
6839
4f40164a
DM		 68402020-02-18 David Malcolm <dmalcolm@redhat.com>
6841
6842 PR analyzer/93777
6843 * region-model.cc (region_model::maybe_cast_1): Replace assertion
6844 that build_cast returns non-NULL with a conditional, falling
6845 through to the logic which returns a new unknown value of the
6846 desired type if it fails.
6847
2e623393
DM		 68482020-02-18 David Malcolm <dmalcolm@redhat.com>
6849
6850 PR analyzer/93778
6851 * engine.cc (impl_region_model_context::on_unknown_tree_code):
6852 Rename to...
6853 (impl_region_model_context::on_unexpected_tree_code): ...this and
6854 convert first argument from path_var to tree.
6855 (exploded_node::on_stmt): Pass ctxt to purge_for_unknown_fncall.
6856 * exploded-graph.h (region_model_context::on_unknown_tree_code):
6857 Rename to...
6858 (region_model_context::on_unexpected_tree_code): ...this and
6859 convert first argument from path_var to tree.
6860 * program-state.cc (sm_state_map::purge_for_unknown_fncall): Add
6861 ctxt param and pass on to calls to get_rvalue.
6862 * program-state.h (sm_state_map::purge_for_unknown_fncall): Add
6863 ctxt param.
6864 * region-model.cc (region_model::handle_unrecognized_call): Pass
6865 ctxt on to call to get_rvalue.
6866 (region_model::get_lvalue_1): Move body of default case to
6867 region_model::make_region_for_unexpected_tree_code and call it.
6868 Within COMPONENT_REF case, reject attempts to handle types other
6869 than RECORD_TYPE and UNION_TYPE.
6870 (region_model::make_region_for_unexpected_tree_code): New
6871 function, based on default case of region_model::get_lvalue_1.
6872 * region-model.h
6873 (region_model::make_region_for_unexpected_tree_code): New decl.
6874 (region_model::on_unknown_tree_code): Rename to...
6875 (region_model::on_unexpected_tree_code): ...this and convert first
6876 argument from path_var to tree.
6877 (class test_region_model_context): Update vfunc implementation for
6878 above change.
6879
a674c7b8
DM		 68802020-02-18 David Malcolm <dmalcolm@redhat.com>
6881
6882 PR analyzer/93774
6883 * region-model.cc
6884 (region_model::convert_byte_offset_to_array_index): Use
6885 int_size_in_bytes before calling size_in_bytes, to gracefully fail
6886 on incomplete types.
6887
d8cde6f9
DM		 68882020-02-17 David Malcolm <dmalcolm@redhat.com>
6889
6890 PR analyzer/93775
6891 * region-model.cc (region_model::get_fndecl_for_call): Handle the
6892 case where the code_region's get_tree_for_child_region returns
6893 NULL.
6894
f76a88eb
DM		 68952020-02-17 David Malcolm <dmalcolm@redhat.com>
6896
6897 PR analyzer/93388
6898 * engine.cc (impl_region_model_context::on_unknown_tree_code):
6899 New.
6900 (exploded_graph::get_or_create_node): Reject invalid states.
6901 * exploded-graph.h
6902 (impl_region_model_context::on_unknown_tree_code): New decl.
6903 (point_and_state::point_and_state): Assert that the state is
6904 valid.
6905 * program-state.cc (program_state::program_state): Initialize
6906 m_valid to true.
6907 (program_state::operator=): Copy m_valid.
6908 (program_state::program_state): Likewise for move constructor.
6909 (program_state::print): Print m_valid.
6910 (program_state::dump_to_pp): Likewise.
6911 * program-state.h (program_state::m_valid): New field.
6912 * region-model.cc (region_model::get_lvalue_1): Implement the
6913 default case by returning a new symbolic region and calling
6914 the context's on_unknown_tree_code, rather than issuing an
6915 internal_error. Implement VIEW_CONVERT_EXPR.
6916 * region-model.h (region_model_context::on_unknown_tree_code): New
6917 vfunc.
6918 (test_region_model_context::on_unknown_tree_code): New.
6919
0993ad65
DM		 69202020-02-17 David Malcolm <dmalcolm@redhat.com>
6921
6922 * sm-malloc.cc (malloc_diagnostic::describe_state_change): For
6923 transition to the "null" state, only say "assuming" when
6924 transitioning from the "unchecked" state.
6925
67098787
DM		 69262020-02-17 David Malcolm <dmalcolm@redhat.com>
6927
6928 * diagnostic-manager.h (diagnostic_manager::get_saved_diagnostic):
6929 Add const overload.
6930 * engine.cc (exploded_node::dump_dot): Dump saved_diagnostics.
6931 * exploded-graph.h (exploded_graph::get_diagnostic_manager): Add
6932 const overload.
6933
91f993b7
DM		 69342020-02-11 David Malcolm <dmalcolm@redhat.com>
6935
6936 PR analyzer/93288
6937 * analysis-plan.cc (analysis_plan::use_summary_p): Look through
6938 the ultimate_alias_target when getting the called function.
6939 * engine.cc (exploded_node::on_stmt): Rename second "ctxt" to
6940 "sm_ctxt". Use the region_model's get_fndecl_for_call rather than
6941 gimple_call_fndecl.
6942 * region-model.cc (region_model::get_fndecl_for_call): Use
6943 ultimate_alias_target on fndecl.
6944 * supergraph.cc (get_ultimate_function_for_cgraph_edge): New
6945 function.
6946 (supergraph_call_edge): Use it when rejecting edges without
6947 functions.
6948 (supergraph::supergraph): Use it to get the function for the
6949 cgraph_edge when building interprocedural superedges.
6950 (callgraph_superedge::get_callee_function): Use it.
6951 * supergraph.h (supergraph::get_num_snodes): Make param const.
6952 (supergraph::function_to_num_snodes_t): Make first type param
6953 const.
6954
a60d9889
DM		 69552020-02-11 David Malcolm <dmalcolm@redhat.com>
6956
6957 PR analyzer/93374
6958 * engine.cc (exploded_edge::exploded_edge): Add ext_state param
6959 and pass it to change.validate.
6960 (exploded_graph::get_or_create_node): Move purging of change
6961 svalues to also cover the case of reusing an existing enode.
6962 (exploded_graph::add_edge): Pass m_ext_state to exploded_edge's
6963 ctor.
6964 * exploded-graph.h (exploded_edge::exploded_edge): Add ext_state
6965 param.
6966 * program-state.cc (state_change::sm_change::validate): Likewise.
6967 Assert that m_sm_idx is sane. Use ext_state to validate
6968 m_old_state and m_new_state.
6969 (state_change::validate): Add ext_state param and pass it to
6970 the sm_change validate calls.
6971 * program-state.h (state_change::sm_change::validate): Add
6972 ext_state param.
6973 (state_change::validate): Likewise.
6974
a0e4929b
DM		 69752020-02-11 David Malcolm <dmalcolm@redhat.com>
6976
6977 PR analyzer/93669
6978 * engine.cc (exploded_graph::dump_exploded_nodes): Handle missing
6979 case of STATUS_WORKLIST in implementation of
6980 "__analyzer_dump_exploded_nodes".
6981
cd28b759
DM		 69822020-02-11 David Malcolm <dmalcolm@redhat.com>
6983
6984 PR analyzer/93649
6985 * constraint-manager.cc (constraint_manager::add_constraint): When
6986 merging equivalence classes and updating m_constant, also update
6987 m_cst_sid.
6988 (constraint_manager::validate): If m_constant is non-NULL assert
6989 that m_cst_sid is non-null and is valid.
6990
5e17c1bd
DM		 69912020-02-11 David Malcolm <dmalcolm@redhat.com>
6992
6993 PR analyzer/93657
6994 * analyzer.opt (fdump-analyzer): Reword description.
6995 (fdump-analyzer-stderr): Likewise.
6996
c46d057f
DM		 69972020-02-11 David Malcolm <dmalcolm@redhat.com>
6998
6999 * region-model.cc (print_quoted_type): New function.
7000 (svalue::print): Use it to replace %qT.
7001 (region::dump_to_pp): Likewise.
7002 (region::dump_child_label): Likewise.
7003 (region::print_fields): Likewise.
7004
eb031d4b
DM		 70052020-02-10 David Malcolm <dmalcolm@redhat.com>
7006
7007 PR analyzer/93659
7008 * analyzer.opt (-param=analyzer-max-recursion-depth=): Fix "tha"
7009 -> "that" typo.
7010 (Wanalyzer-use-of-uninitialized-value): Fix "initialized" ->
7011 "uninitialized" typo.
7012
e87deb37
DM		 70132020-02-10 David Malcolm <dmalcolm@redhat.com>
7014
7015 PR analyzer/93350
7016 * region-model.cc (region_model::get_lvalue_1):
7017 Handle BIT_FIELD_REF.
7018 (make_region_for_type): Handle VECTOR_TYPE.
7019
e953f958
DM		 70202020-02-10 David Malcolm <dmalcolm@redhat.com>
7021
7022 PR analyzer/93647
7023 * diagnostic-manager.cc
7024 (diagnostic_manager::prune_for_sm_diagnostic): Bulletproof against
7025 VAR being constant.
7026 * region-model.cc (region_model::get_lvalue_1): Provide a better
7027 error message when encountering an unhandled tree code.
7028
41a9e940
DM		 70292020-02-10 David Malcolm <dmalcolm@redhat.com>
7030
7031 PR analyzer/93405
7032 * region-model.cc (region_model::get_lvalue_1): Implement
7033 CONST_DECL.
7034
cb273d81
DM		 70352020-02-06 David Malcolm <dmalcolm@redhat.com>
7036
7037 * region-model.cc (region_model::maybe_cast_1): Attempt to provide
7038 a region_svalue if either type is a pointer, rather than if both
7039 types are pointers.
7040
a4d3bfc0
DM		 70412020-02-05 David Malcolm <dmalcolm@redhat.com>
7042
7043 * engine.cc (exploded_node::dump_dot): Show merger enodes.
7044 (worklist::add_node): Assert that the node's m_status is
7045 STATUS_WORKLIST.
7046 (exploded_graph::process_worklist): Likewise for nodes from the
7047 worklist. Set status of merged nodes to STATUS_MERGER.
7048 (exploded_graph::process_node): Set status of node to
7049 STATUS_PROCESSED.
7050 (exploded_graph::dump_exploded_nodes): Rework handling of
7051 "__analyzer_dump_exploded_nodes", splitting enodes by status into
7052 "processed" and "merger", showing the count of just the processed
7053 enodes at the call, rather than the count of all enodes.
7054 * exploded-graph.h (exploded_node::status): New enum.
7055 (exploded_node::exploded_node): Initialize m_status to
7056 STATUS_WORKLIST.
7057 (exploded_node::get_status): New getter.
7058 (exploded_node::set_status): New setter.
7059
1dae549d
DM		 70602020-02-04 David Malcolm <dmalcolm@redhat.com>
7061
7062 PR analyzer/93543
7063 * engine.cc (pod_hash_traits<function_call_string>::mark_empty):
7064 Eliminate reinterpret_cast.
7065 (pod_hash_traits<function_call_string>::is_empty): Likewise.
7066
833f1e66
DM		 70672020-02-03 David Malcolm <dmalcolm@redhat.com>
7068
7069 * constraint-manager.cc (range::constrained_to_single_element):
7070 Replace fold_build2 with fold_binary. Remove unnecessary newline.
7071 (constraint_manager::get_or_add_equiv_class): Replace fold_build2
7072 with fold_binary in two places, and remove out-of-date comment.
7073 (constraint_manager::eval_condition): Replace fold_build2 with
7074 fold_binary.
7075 * region-model.cc (constant_svalue::eval_condition): Likewise.
7076 (region_model::on_assignment): Likewise.
7077
8525d1f5
DM		 70782020-02-03 David Malcolm <dmalcolm@redhat.com>
7079
7080 PR analyzer/93544
7081 * diagnostic-manager.cc
7082 (diagnostic_manager::prune_for_sm_diagnostic): Bulletproof
7083 against bad choices due to bad paths.
7084 * engine.cc (impl_region_model_context::on_phi): New.
7085 * exploded-graph.h (impl_region_model_context::on_phi): New decl.
7086 * region-model.cc (region_model::on_longjmp): Likewise.
7087 (region_model::handle_phi): Add phi param. Call the ctxt's on_phi
7088 vfunc.
7089 (region_model::update_for_phis): Pass phi to handle_phi.
7090 * region-model.h (region_model::handle_phi): Add phi param.
7091 (region_model_context::on_phi): New vfunc.
7092 (test_region_model_context::on_phi): New.
7093 * sm-malloc.cc (malloc_state_machine::on_phi): New.
7094 (malloc_state_machine::on_zero_assignment): New.
7095 * sm.h (state_machine::on_phi): New vfunc.
7096
73f38658
DM		 70972020-02-03 David Malcolm <dmalcolm@redhat.com>
7098
7099 * engine.cc (supernode_cluster::dump_dot): Show BB index as
7100 well as SN index.
7101 * supergraph.cc (supernode::dump_dot): Likewise.
7102
5e10b9a2
DM		 71032020-02-03 David Malcolm <dmalcolm@redhat.com>
7104
7105 PR analyzer/93546
7106 * region-model.cc (region_model::on_call_pre): Update for new
7107 param of symbolic_region ctor.
7108 (region_model::deref_rvalue): Likewise.
7109 (region_model::add_new_malloc_region): Likewise.
7110 (make_region_for_type): Likewise, preserving type.
7111 * region-model.h (symbolic_region::symbolic_region): Add "type"
7112 param and pass it to base class ctor.
7113
287ccd3b
DM		 71142020-02-03 David Malcolm <dmalcolm@redhat.com>
7115
7116 PR analyzer/93547
7117 * constraint-manager.cc
7118 (constraint_manager::get_or_add_equiv_class): Ensure types are
7119 compatible before comparing constants.
7120
67751724
DM		 71212020-01-31 David Malcolm <dmalcolm@redhat.com>
7122
7123 PR analyzer/93457
7124 * region-model.cc (make_region_for_type): Use VOID_TYPE_P rather
7125 than checking against void_type_node.
7126
09bea584
DM		 71272020-01-31 David Malcolm <dmalcolm@redhat.com>
7128
7129 PR analyzer/93373
7130 * region-model.cc (ASSERT_COMPAT_TYPES): Convert to...
7131 (assert_compat_types): ...this, and bail when either type is NULL,
7132 or when VOID_TYPE_P (dst_type).
7133 (region_model::get_lvalue): Update for above conversion.
7134 (region_model::get_rvalue): Likewise.
7135
f1c807e8
DM		 71362020-01-31 David Malcolm <dmalcolm@redhat.com>
7137
7138 PR analyzer/93379
7139 * region-model.cc (region_model::update_for_return_superedge):
7140 Move check for null result so that it also guards setting the
7141 lhs.
7142
455f58ec
DM		 71432020-01-31 David Malcolm <dmalcolm@redhat.com>
7144
7145 PR analyzer/93438
7146 * region-model.cc (stack_region::can_merge_p): Split into a two
7147 pass approach, creating all stack regions first, then populating
7148 them.
7149 (selftest::test_state_merging): Add test coverage for (a) the case
7150 of self-merging a model in which a local in an older stack frame
7151 points to a local in a more recent stack frame (which previously
7152 would ICE), and (b) the case of self-merging a model in which a
7153 local points to a global (which previously worked OK).
7154
182ce042
DM		 71552020-01-31 David Malcolm <dmalcolm@redhat.com>
7156
7157 * analyzer.cc (is_named_call_p): Replace tests for fndecl being
7158 extern at file scope and having a non-NULL DECL_NAME with a call
7159 to maybe_special_function_p.
7160 * function-set.cc (function_set::contains_decl_p): Add call to
7161 maybe_special_function_p.
7162
45eb3e49
DM		 71632020-01-31 David Malcolm <dmalcolm@redhat.com>
7164
7165 PR analyzer/93450
7166 * constraint-manager.cc
7167 (constraint_manager::get_or_add_equiv_class): Only compare constants
7168 if their types are compatible.
7169 * region-model.cc (constant_svalue::eval_condition): Replace check
7170 for identical types with call to types_compatible_p.
7171
42f36563
DM		 71722020-01-30 David Malcolm <dmalcolm@redhat.com>
7173
7174 * program-state.cc (extrinsic_state::dump_to_pp): New.
7175 (extrinsic_state::dump_to_file): New.
7176 (extrinsic_state::dump): New.
7177 * program-state.h (extrinsic_state::dump_to_pp): New decl.
7178 (extrinsic_state::dump_to_file): New decl.
7179 (extrinsic_state::dump): New decl.
7180 * sm.cc: Include "pretty-print.h".
7181 (state_machine::dump_to_pp): New.
7182 * sm.h (state_machine::dump_to_pp): New decl.
7183
ebe9174e
DM		 71842020-01-30 David Malcolm <dmalcolm@redhat.com>
7185
7186 * diagnostic-manager.cc (for_each_state_change): Use
7187 extrinsic_state::get_num_checkers rather than accessing m_checkers
7188 directly.
7189 * program-state.cc (program_state::program_state): Likewise.
7190 * program-state.h (extrinsic_state::m_checkers): Make private.
7191
e978955d
DM		 71922020-01-30 David Malcolm <dmalcolm@redhat.com>
7193
7194 PR analyzer/93356
7195 * region-model.cc (region_model::eval_condition): In both
7196 overloads, bail out immediately on floating-point types.
7197 (region_model::eval_condition_without_cm): Likewise.
7198 (region_model::add_constraint): Likewise.
7199
d177c49c
DM		 72002020-01-30 David Malcolm <dmalcolm@redhat.com>
7201
7202 PR analyzer/93450
7203 * program-state.cc (sm_state_map::set_state): For the overload
7204 taking an svalue_id, bail out if the set_state on the ec does
7205 nothing. Convert the latter's return type from void to bool,
7206 returning true if anything changed.
7207 (sm_state_map::impl_set_state): Convert the return type from void
7208 to bool, returning true if the state changed.
7209 * program-state.h (sm_state_map::set_state): Convert return type
7210 from void to bool.
7211 (sm_state_map::impl_set_state): Likewise.
7212 * region-model.cc (constant_svalue::eval_condition): Only call
7213 fold_build2 if the types are the same.
7214
7892ff37
JJ		 72152020-01-29 Jakub Jelinek <jakub@redhat.com>
7216
7217 * analyzer.h (PUSH_IGNORE_WFORMAT, POP_IGNORE_WFORMAT): Remove.
7218 * constraint-manager.cc: Include diagnostic-core.h before graphviz.h.
7219 (range::dump, equiv_class::print): Don't use PUSH_IGNORE_WFORMAT or
7220 POP_IGNORE_WFORMAT.
7221 * state-purge.cc: Include diagnostic-core.h before
7222 gimple-pretty-print.h.
7223 (state_purge_annotator::add_node_annotations, print_vec_of_names):
7224 Don't use PUSH_IGNORE_WFORMAT or POP_IGNORE_WFORMAT.
7225 * region-model.cc: Move diagnostic-core.h include before graphviz.h.
7226 (path_var::dump, svalue::print, constant_svalue::print_details,
7227 region::dump_to_pp, region::dump_child_label, region::print_fields,
7228 map_region::print_fields, map_region::dump_dot_to_pp,
7229 map_region::dump_child_label, array_region::print_fields,
7230 array_region::dump_dot_to_pp): Don't use PUSH_IGNORE_WFORMAT or
7231 POP_IGNORE_WFORMAT.
7232
5aebfb71
DM		 72332020-01-28 David Malcolm <dmalcolm@redhat.com>
7234
7235 PR analyzer/93316
7236 * engine.cc (rewind_info_t::update_model): Get the longjmp call
7237 stmt via get_longjmp_call () rather than assuming it is the last
7238 stmt in the longjmp's supernode.
7239 (rewind_info_t::add_events_to_path): Get the location_t for the
7240 rewind_from_longjmp_event via get_longjmp_call () rather than from
7241 the supernode's get_end_location ().
7242
6c8e5844
DM		 72432020-01-28 David Malcolm <dmalcolm@redhat.com>
7244
7245 * region-model.cc (poisoned_value_diagnostic::emit): Update for
7246 renaming of warning_at overload to warning_meta.
7247 * sm-file.cc (file_leak::emit): Likewise.
7248 * sm-malloc.cc (double_free::emit): Likewise.
7249 (possible_null_deref::emit): Likewise.
7250 (possible_null_arg::emit): Likewise.
7251 (null_deref::emit): Likewise.
7252 (null_arg::emit): Likewise.
7253 (use_after_free::emit): Likewise.
7254 (malloc_leak::emit): Likewise.
7255 (free_of_non_heap::emit): Likewise.
7256 * sm-sensitive.cc (exposure_through_output_file::emit): Likewise.
7257 * sm-signal.cc (signal_unsafe_call::emit): Likewise.
7258 * sm-taint.cc (tainted_array_index::emit): Likewise.
7259
8c08c983
DM		 72602020-01-27 David Malcolm <dmalcolm@redhat.com>
7261
7262 PR analyzer/93451
7263 * region-model.cc (tree_cmp): For the REAL_CST case, impose an
7264 arbitrary order on NaNs relative to other NaNs and to non-NaNs;
7265 const-correctness tweak.
7266 (ana::selftests::build_real_cst_from_string): New function.
7267 (ana::selftests::append_interesting_constants): New function.
7268 (ana::selftests::test_tree_cmp_on_constants): New test.
7269 (ana::selftests::test_canonicalization_4): New test.
7270 (ana::selftests::analyzer_region_model_cc_tests): Call the new
7271 tests.
7272
2fbea419
DM		 72732020-01-27 David Malcolm <dmalcolm@redhat.com>
7274
7275 PR analyzer/93349
7276 * engine.cc (run_checkers): Save and restore input_location.
7277
6a81cabc
DM		 72782020-01-27 David Malcolm <dmalcolm@redhat.com>
7279
7280 * call-string.cc (call_string::cmp_1): Delete, moving body to...
7281 (call_string::cmp): ...here.
7282 * call-string.h (call_string::cmp_1): Delete decl.
7283 * engine.cc (worklist::key_t::cmp_1): Delete, moving body to...
7284 (worklist::key_t::cmp): ...here. Implement hash comparisons
7285 via comparison rather than subtraction to avoid overflow issues.
7286 * exploded-graph.h (worklist::key_t::cmp_1): Delete decl.
7287 * region-model.cc (tree_cmp): Eliminate buggy checking for
7288 symmetry.
7289
342e14ff
DM		 72902020-01-27 David Malcolm <dmalcolm@redhat.com>
7291
7292 * analyzer.cc (is_named_call_p): Check that fndecl is "extern"
7293 and at file scope. Potentially disregard prefix _ or __ in
7294 fndecl's name. Bail if the identifier is NULL.
7295 (is_setjmp_call_p): Expect a gcall rather than plain gimple.
7296 Remove special-case check for leading prefix, and also check for
7297 sigsetjmp.
7298 (is_longjmp_call_p): Also check for siglongjmp.
7299 (get_user_facing_name): New function.
7300 * analyzer.h (is_setjmp_call_p): Expect a gcall rather than plain
7301 gimple.
7302 (get_user_facing_name): New decl.
7303 * checker-path.cc (setjmp_event::get_desc): Use
7304 get_user_facing_name to avoid hardcoding the function name.
7305 (rewind_event::rewind_event): Add rewind_info param, using it to
7306 initialize new m_rewind_info field, and strengthen the assertion.
7307 (rewind_from_longjmp_event::get_desc): Use get_user_facing_name to
7308 avoid hardcoding the function name.
7309 (rewind_to_setjmp_event::get_desc): Likewise.
7310 * checker-path.h (setjmp_event::setjmp_event): Add setjmp_call
7311 param and use it to initialize...
7312 (setjmp_event::m_setjmp_call): New field.
7313 (rewind_event::rewind_event): Add rewind_info param.
7314 (rewind_event::m_rewind_info): New protected field.
7315 (rewind_from_longjmp_event::rewind_from_longjmp_event): Add
7316 rewind_info param.
7317 (class rewind_to_setjmp_event): Move rewind_info field to parent
7318 class.
7319 * diagnostic-manager.cc (diagnostic_manager::add_events_for_eedge):
7320 Update setjmp-handling for is_setjmp_call_p requiring a gcall;
7321 pass the call to the new setjmp_event.
7322 * engine.cc (exploded_node::on_stmt): Update for is_setjmp_call_p
7323 requiring a gcall.
7324 (stale_jmp_buf::emit): Use get_user_facing_name to avoid
7325 hardcoding the function names.
7326 (exploded_node::on_longjmp): Pass the longjmp_call when
7327 constructing rewind_info.
7328 (rewind_info_t::add_events_to_path): Pass the rewind_info_t to the
7329 rewind_from_longjmp_event's ctor.
7330 * exploded-graph.h (rewind_info_t::rewind_info_t): Add
7331 longjmp_call param.
7332 (rewind_info_t::get_longjmp_call): New.
7333 (rewind_info_t::m_longjmp_call): New.
7334 * region-model.cc (region_model::on_setjmp): Update comment to
7335 indicate this is also for sigsetjmp.
7336 * region-model.h (struct setjmp_record): Likewise.
7337 (class setjmp_svalue): Likewise.
7338
26d949c8
DM		 73392020-01-27 David Malcolm <dmalcolm@redhat.com>
7340
7341 PR analyzer/93276
7342 * analyzer.h (PUSH_IGNORE_WFORMAT, POP_IGNORE_WFORMAT): Guard these
7343 macros with GCC_VERSION >= 4006, making them no-op otherwise.
7344 * engine.cc (exploded_edge::exploded_edge): Specify template for
7345 base class initializer.
7346 (exploded_graph::add_edge): Specify template when chaining up to
7347 base class add_edge implementation.
7348 (viz_callgraph_node::dump_dot): Drop redundant "typename".
7349 (viz_callgraph_edge::viz_callgraph_edge): Specify template for
7350 base class initializer.
7351 * program-state.cc (sm_state_map::clone_with_remapping): Drop
7352 redundant "typename".
7353 (sm_state_map::print): Likewise.
7354 (sm_state_map::hash): Likewise.
7355 (sm_state_map::operator==): Likewise.
7356 (sm_state_map::remap_svalue_ids): Likewise.
7357 (sm_state_map::on_svalue_purge): Likewise.
7358 (sm_state_map::validate): Likewise.
7359 * program-state.h (sm_state_map::iterator_t): Likewise.
7360 * supergraph.h (superedge::superedge): Specify template for base
7361 class initializer.
7362
648796da
DM		 73632020-01-23 David Malcolm <dmalcolm@redhat.com>
7364
7365 PR analyzer/93375
7366 * supergraph.cc (callgraph_superedge::get_arg_for_parm): Fail
7367 gracefully is the number of parameters at the callee exceeds the
7368 number of arguments at the call stmt.
7369 (callgraph_superedge::get_parm_for_arg): Likewise.
7370
591b59eb
DM		 73712020-01-22 David Malcolm <dmalcolm@redhat.com>
7372
7373 PR analyzer/93382
7374 * program-state.cc (sm_state_map::on_svalue_purge): If the
7375 entry survives, but the origin is being purged, then reset the
7376 origin to null.
7377
c9c8aef4
DM		 73782020-01-22 David Malcolm <dmalcolm@redhat.com>
7379
7380 * sm-signal.cc: Fix nesting of CHECKING_P and namespace ana.
7381
fd9982bb
DM		 73822020-01-22 David Malcolm <dmalcolm@redhat.com>
7383
7384 PR analyzer/93378
7385 * engine.cc (setjmp_svalue::compare_fields): Update for
7386 replacement of m_enode with m_setjmp_record.
7387 (setjmp_svalue::add_to_hash): Likewise.
7388 (setjmp_svalue::get_index): Rename...
7389 (setjmp_svalue::get_enode_index): ...to this.
7390 (setjmp_svalue::print_details): Update for replacement of m_enode
7391 with m_setjmp_record.
7392 (exploded_node::on_longjmp): Likewise.
7393 * exploded-graph.h (rewind_info_t::m_enode_origin): Replace...
7394 (rewind_info_t::m_setjmp_record): ...with this.
7395 (rewind_info_t::rewind_info_t): Update for replacement of m_enode
7396 with m_setjmp_record.
7397 (rewind_info_t::get_setjmp_point): Likewise.
7398 (rewind_info_t::get_setjmp_call): Likewise.
7399 * region-model.cc (region_model::dump_summary_of_map): Likewise.
7400 (region_model::on_setjmp): Likewise.
7401 * region-model.h (struct setjmp_record): New struct.
7402 (setjmp_svalue::m_enode): Replace...
7403 (setjmp_svalue::m_setjmp_record): ...with this.
7404 (setjmp_svalue::setjmp_svalue): Update for replacement of m_enode
7405 with m_setjmp_record.
7406 (setjmp_svalue::clone): Likewise.
7407 (setjmp_svalue::get_index): Rename...
7408 (setjmp_svalue::get_enode_index): ...to this.
7409 (setjmp_svalue::get_exploded_node): Replace...
7410 (setjmp_svalue::get_setjmp_record): ...with this.
7411
da7cf663
DM		 74122020-01-22 David Malcolm <dmalcolm@redhat.com>
7413
7414 PR analyzer/93316
7415 * analyzer.cc (is_setjmp_call_p): Check for "setjmp" as well as
7416 "_setjmp".
7417
75038aa6
DM		 74182020-01-22 David Malcolm <dmalcolm@redhat.com>
7419
7420 PR analyzer/93307
7421 * analysis-plan.h: Wrap everything namespace "ana".
7422 * analyzer-logging.cc: Likewise.
7423 * analyzer-logging.h: Likewise.
7424 * analyzer-pass.cc (pass_analyzer::execute): Update for "ana"
7425 namespace.
7426 * analyzer-selftests.cc: Wrap everything namespace "ana".
7427 * analyzer-selftests.h: Likewise.
7428 * analyzer.h: Likewise for forward decls of types.
7429 * call-string.h: Likewise.
7430 * checker-path.cc: Likewise.
7431 * checker-path.h: Likewise.
7432 * constraint-manager.cc: Likewise.
7433 * constraint-manager.h: Likewise.
7434 * diagnostic-manager.cc: Likewise.
7435 * diagnostic-manager.h: Likewise.
7436 * engine.cc: Likewise.
7437 * engine.h: Likewise.
7438 * exploded-graph.h: Likewise.
7439 * function-set.cc: Likewise.
7440 * function-set.h: Likewise.
7441 * pending-diagnostic.cc: Likewise.
7442 * pending-diagnostic.h: Likewise.
7443 * program-point.cc: Likewise.
7444 * program-point.h: Likewise.
7445 * program-state.cc: Likewise.
7446 * program-state.h: Likewise.
7447 * region-model.cc: Likewise.
7448 * region-model.h: Likewise.
7449 * sm-file.cc: Likewise.
7450 * sm-malloc.cc: Likewise.
7451 * sm-pattern-test.cc: Likewise.
7452 * sm-sensitive.cc: Likewise.
7453 * sm-signal.cc: Likewise.
7454 * sm-taint.cc: Likewise.
7455 * sm.cc: Likewise.
7456 * sm.h: Likewise.
7457 * state-purge.h: Likewise.
7458 * supergraph.cc: Likewise.
7459 * supergraph.h: Likewise.
7460
4f01e577
DM		 74612020-01-21 David Malcolm <dmalcolm@redhat.com>
7462
7463 PR analyzer/93352
7464 * region-model.cc (int_cmp): Rename to...
7465 (array_region::key_cmp): ...this, using key_t rather than int.
7466 Rewrite in terms of comparisons rather than subtraction to
7467 ensure qsort is anti-symmetric when handling extreme values.
7468 (array_region::walk_for_canonicalization): Update for above
7469 renaming.
7470 * region-model.h (array_region::key_cmp): New decl.
7471
07c86323
DM		 74722020-01-17 David Malcolm <dmalcolm@redhat.com>
7473
7474 PR analyzer/93290
7475 * region-model.cc (region_model::eval_condition_without_cm): Avoid
7476 gcc_unreachable for unexpected operations for the case where
7477 we're comparing an svalue against itself.
7478
5f030383
DM		 74792020-01-17 David Malcolm <dmalcolm@redhat.com>
7480
7481 PR analyzer/93281
7482 * region-model.cc
7483 (region_model::convert_byte_offset_to_array_index): Convert to
7484 ssizetype before dividing by byte_size. Use fold_binary rather
7485 than fold_build2 to avoid needlessly constructing a tree for the
7486 non-const case.
7487
49e9a999
DM		 74882020-01-15 David Malcolm <dmalcolm@redhat.com>
7489
7490 * engine.cc (class impl_region_model_context): Fix comment.
7491
32077b69
DM		 74922020-01-14 David Malcolm <dmalcolm@redhat.com>
7493
7494 PR analyzer/93212
7495 * region-model.cc (make_region_for_type): Use
7496 FUNC_OR_METHOD_TYPE_P rather than comparing against FUNCTION_TYPE.
7497 * region-model.h (function_region::function_region): Likewise.
7498
7fb3669e
DM		 74992020-01-14 David Malcolm <dmalcolm@redhat.com>
7500
7501 * program-state.cc (sm_state_map::clone_with_remapping): Copy
7502 m_global_state.
7503 (selftest::test_program_state_merging_2): New selftest.
7504 (selftest::analyzer_program_state_cc_tests): Call it.
7505
e2a538b1
DM		 75062020-01-14 David Malcolm <dmalcolm@redhat.com>
7507
7508 * checker-path.h (checker_path::get_checker_event): New function.
7509 (checker_path): Add DISABLE_COPY_AND_ASSIGN; make fields private.
7510 * diagnostic-manager.cc
7511 (diagnostic_manager::prune_for_sm_diagnostic): Replace direct
7512 access to checker_path::m_events with accessor functions. Fix
7513 overlong line.
7514 (diagnostic_manager::prune_interproc_events): Replace direct
7515 access to checker_path::m_events with accessor functions.
7516 (diagnostic_manager::finish_pruning): Likewise.
7517
94946989
DM		 75182020-01-14 David Malcolm <dmalcolm@redhat.com>
7519
7520 * checker-path.h (checker_event::clone): Delete vfunc decl.
7521 (debug_event::clone): Delete vfunc impl.
7522 (custom_event::clone): Delete vfunc impl.
7523 (statement_event::clone): Delete vfunc impl.
7524 (function_entry_event::clone): Delete vfunc impl.
7525 (state_change_event::clone): Delete vfunc impl.
7526 (start_cfg_edge_event::clone): Delete vfunc impl.
7527 (end_cfg_edge_event::clone): Delete vfunc impl.
7528 (call_event::clone): Delete vfunc impl.
7529 (return_event::clone): Delete vfunc impl.
7530 (setjmp_event::clone): Delete vfunc impl.
7531 (rewind_from_longjmp_event::clone): Delete vfunc impl.
7532 (rewind_to_setjmp_event::clone): Delete vfunc impl.
7533 (warning_event::clone): Delete vfunc impl.
7534
718930c0
DM		 75352020-01-14 David Malcolm <dmalcolm@redhat.com>
7536
7537 * supergraph.cc (supernode::dump_dot): Ensure that the TABLE
7538 element has at least one TR.
7539
8397af8e
DM		 75402020-01-14 David Malcolm <dmalcolm@redhat.com>
7541
7542 PR analyzer/58237
7543 * engine.cc (leak_stmt_finder::find_stmt): Use get_pure_location
7544 when comparing against UNKNOWN_LOCATION.
7545 (stmt_requires_new_enode_p): Likewise.
7546 (exploded_graph::dump_exploded_nodes): Likewise.
7547 * supergraph.cc (supernode::get_start_location): Likewise.
7548 (supernode::get_end_location): Likewise.
7549
697251b7
DM		 75502020-01-14 David Malcolm <dmalcolm@redhat.com>
7551
7552 PR analyzer/58237
7553 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
7554 selftest::analyzer_sm_file_cc_tests.
7555 * analyzer-selftests.h (selftest::analyzer_sm_file_cc_tests): New
7556 decl.
7557 * sm-file.cc: Include "analyzer/function-set.h" and
7558 "analyzer/analyzer-selftests.h".
7559 (get_file_using_fns): New function.
7560 (is_file_using_fn_p): New function.
7561 (fileptr_state_machine::on_stmt): Return true for known functions.
7562 (selftest::analyzer_sm_file_cc_tests): New function.
7563
4804c5fe
DM		 75642020-01-14 David Malcolm <dmalcolm@redhat.com>
7565
7566 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
7567 selftest::analyzer_sm_signal_cc_tests.
7568 * analyzer-selftests.h (selftest::analyzer_sm_signal_cc_tests):
7569 New decl.
7570 * sm-signal.cc: Include "analyzer/function-set.h" and
7571 "analyzer/analyzer-selftests.h".
7572 (get_async_signal_unsafe_fns): New function.
7573 (signal_unsafe_p): Reimplement in terms of the above.
7574 (selftest::analyzer_sm_signal_cc_tests): New function.
7575
a6b5f19c
DM		 75762020-01-14 David Malcolm <dmalcolm@redhat.com>
7577
7578 * analyzer-selftests.cc (selftest::run_analyzer_selftests): Call
7579 selftest::analyzer_function_set_cc_tests.
7580 * analyzer-selftests.h (selftest::analyzer_function_set_cc_tests):
7581 New decl.
7582 * function-set.cc: New file.
7583 * function-set.h: New file.
7584
ef7827b0
DM		 75852020-01-14 David Malcolm <dmalcolm@redhat.com>
7586
7587 * analyzer.h (fndecl_has_gimple_body_p): New decl.
7588 * engine.cc (impl_region_model_context::on_unknown_change): New
7589 function.
7590 (fndecl_has_gimple_body_p): Make non-static.
7591 (exploded_node::on_stmt): Treat __analyzer_dump_exploded_nodes as
7592 known. Track whether we have a call with unknown side-effects and
7593 pass it to on_call_post.
7594 * exploded-graph.h (impl_region_model_context::on_unknown_change):
7595 New decl.
7596 * program-state.cc (sm_state_map::on_unknown_change): New function.
7597 * program-state.h (sm_state_map::on_unknown_change): New decl.
7598 * region-model.cc: Include "bitmap.h".
7599 (region_model::on_call_pre): Return a bool, capturing whether the
7600 call has unknown side effects.
7601 (region_model::on_call_post): Add arg "bool unknown_side_effects"
7602 and if true, call handle_unrecognized_call.
7603 (class reachable_regions): New class.
7604 (region_model::handle_unrecognized_call): New function.
7605 * region-model.h (region_model::on_call_pre): Return a bool.
7606 (region_model::on_call_post): Add arg "bool unknown_side_effects".
7607 (region_model::handle_unrecognized_call): New decl.
7608 (region_model_context::on_unknown_change): New vfunc.
7609 (test_region_model_context::on_unknown_change): New function.
7610
14f9d7b9
DM		 76112020-01-14 David Malcolm <dmalcolm@redhat.com>
7612
7613 * diagnostic-manager.cc (saved_diagnostic::operator==): Move here
7614 from header. Replace pointer equality test on m_var with call to
7615 pending_diagnostic::same_tree_p.
7616 * diagnostic-manager.h (saved_diagnostic::operator==): Move to
7617 diagnostic-manager.cc.
7618 * pending-diagnostic.cc (pending_diagnostic::same_tree_p): New.
7619 * pending-diagnostic.h (pending_diagnostic::same_tree_p): New.
7620 * sm-file.cc (file_diagnostic::subclass_equal_p): Replace pointer
7621 equality on m_arg with call to pending_diagnostic::same_tree_p.
7622 * sm-malloc.cc (malloc_diagnostic::subclass_equal_p): Likewise.
7623 (possible_null_arg::subclass_equal_p): Likewise.
7624 (null_arg::subclass_equal_p): Likewise.
7625 (free_of_non_heap::subclass_equal_p): Likewise.
7626 * sm-pattern-test.cc (pattern_match::operator==): Likewise.
7627 * sm-sensitive.cc (exposure_through_output_file::operator==):
7628 Likewise.
7629 * sm-taint.cc (tainted_array_index::operator==): Likewise.
7630
f474fbd5
DM		 76312020-01-14 David Malcolm <dmalcolm@redhat.com>
7632
7633 * diagnostic-manager.cc (dedupe_winners::add): Add logging
7634 of deduplication decisions made.
7635
757bf1df
DM		 76362020-01-14 David Malcolm <dmalcolm@redhat.com>
7637
7638 * ChangeLog: New file.
7639 * analyzer-selftests.cc: New file.
7640 * analyzer-selftests.h: New file.
7641 * analyzer.opt: New file.
7642 * analysis-plan.cc: New file.
7643 * analysis-plan.h: New file.
7644 * analyzer-logging.cc: New file.
7645 * analyzer-logging.h: New file.
7646 * analyzer-pass.cc: New file.
7647 * analyzer.cc: New file.
7648 * analyzer.h: New file.
7649 * call-string.cc: New file.
7650 * call-string.h: New file.
7651 * checker-path.cc: New file.
7652 * checker-path.h: New file.
7653 * constraint-manager.cc: New file.
7654 * constraint-manager.h: New file.
7655 * diagnostic-manager.cc: New file.
7656 * diagnostic-manager.h: New file.
7657 * engine.cc: New file.
7658 * engine.h: New file.
7659 * exploded-graph.h: New file.
7660 * pending-diagnostic.cc: New file.
7661 * pending-diagnostic.h: New file.
7662 * program-point.cc: New file.
7663 * program-point.h: New file.
7664 * program-state.cc: New file.
7665 * program-state.h: New file.
7666 * region-model.cc: New file.
7667 * region-model.h: New file.
7668 * sm-file.cc: New file.
7669 * sm-malloc.cc: New file.
7670 * sm-malloc.dot: New file.
7671 * sm-pattern-test.cc: New file.
7672 * sm-sensitive.cc: New file.
7673 * sm-signal.cc: New file.
7674 * sm-taint.cc: New file.
7675 * sm.cc: New file.
7676 * sm.h: New file.
7677 * state-purge.cc: New file.
7678 * state-purge.h: New file.
7679 * supergraph.cc: New file.
7680 * supergraph.h: New file.
7681
76822019-12-13 David Malcolm <dmalcolm@redhat.com>
7683
7684 * Initial creation
7685
7686\f
877e3c2a 7687Copyright (C) 2019-2022 Free Software Foundation, Inc.
757bf1df
DM		 7688
7689Copying and distribution of this file, with or without modification,
7690are permitted in any medium without royalty provided the copyright
7691notice and this notice are preserved.
Mirror of https://gcc.gnu.org/git/gcc.git